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1 Introduction. 


This technic^ report is intended to document the HO I £*£££ *“£££ 

techlrd detaiU c^cermng .^execution of the proof 

scripts in HOL. The last section contains the proof scripts used to verify AVM-1 • 


1.1 AVM-1 . 

We have designed a computer designated AVM-1 (A Verified Microprocessor) to demonstr £e t^use 
of generic interpreters in verifying hierarchically decomposedmicrop^cessor specifications, 
detailed look at the architecture and organization of AVM-1 , see [Win90a]. 

floating point unit, an interrupt controller, and a direct memory access chip. 


1.2 An Architectural View. 

and the instructions available for manipulating that state. The architecture mus 
instructions are selected. 

The instruction set for AVM-1 »as inspired by the RISC I 
.is [Kn.851. There are . number of differences 

(such ns using ALTJ operates to synthes.se a “°™ cium ot be culled a 


1.2.1 The Registers. 

AVM-1 has a load-store architecture based on a 
three portions: 


large register file. The register file is divided into 


1. Register 0 which is read-only and contains the constant 0. 

Seven supervisor-mode registers including a distil 
pointer (SSP). The supervisor-mode registers are 


1U ~ ~ — 

, Seven supervisor-mode registers including * £ CPu“t^mot 
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Table 1: The program status word. 


Bit 

Meaning when set 

0 

Last ALU result was zero 

1 

Last ALU operation caused a carry 

2 

Last ALU result was negative 

3 

Last ALU operation caused a overflow 

4 

Interrupts enabled 

5 

In supervisory mode 


(determined by the 6 th bit in the program status word). 

3. Twenty-four general purpose registers. 

Two additional registers are visible at the architectural level: the program counter and the program 
status word. The program counter (PC) is used to sequence the computer — it indicates which instruction 
to execute next. 

The program status word (PSW) is used to keep track of the status of the last ALU operation, 
whether or not interrupts are enabled, and the privilege level of the CPU. Table 1 shows the meaning 
of the 6 bits in the program status word. 

AVM-1 shares a register, IVEC, with the interrupt controller. This register contains the interrupt 
vector and is read-only as far as the CPU is concerned. 


1.2.2 The Instruction Set. 

The instruction set contains 30 instructions. The opcode space has room for 64; the upper half of the 
opcode space is reserved for future co-processors. As mentioned above, the instruction set is based on 
a load— store architecture, meaning that most instructions are not allowed to access memory for their 
operands. 

The instruction formats are simple and regular. Figure 1 shows the four instruction formats. All 
of the formats use the same opcode field. 

In formats 1 and 2, the instruction is divided into four fields. The top 6 bits (31-26) give the 
opcode of the instructions. The next 5 bits (25-21) denote the destination register in most operations. 
The third field (bits 20-16) selects the register used as the A operand in most operations. In format 1, 
the fourth field is comprised of bits 15-11 and is used to select the register used as the B operand. In 
format 2, the fourth field uses all of the 16 remaining bits to form an immediate number (0 to (2 16 — 1)). 

Format 3 is identical to formats 1 and 2 except that only the opcode and destination fields are used. 
Format 4 uses only the opcode field. 

There is a trade off between instruction format complexity and verification effort, so in general 
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Format 1 

31 25 20 

opcode dest 


15 10 


unused 


Format 2 

31 25 20 

opcode dest 


immediate 


Format 3 

31 25 20 

opcode dest 


unused 


Format 4 
31 25 

opcode 


unused 


Figure 1: The instruction formats in AVM-1 ■ 

value. There ere 4 instructiona for loading end St g 0 * detailed description of the 

for performing ueer interrupt., jumps, subroutine cells, end slufts. 

instruction set, see [Win90a]. 

Synthesizing Addressing Modes. 

z iz ^;:rr — - «esi.r end 

results in faster operation of most of the instructions. 

The addressing mode in the k>ad ^sofX memory operation. This is 

rtssr. *■“ 

Table 3 (adapted from IKatSSJ) show, how the memory uddreesing scheme in AVM-1 can be need 
to support common constructs in modern high level languages. 
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Table 2: The AVM-1 instruction set. 


Mnemonic Format I Effect 


JMP 2 Jump to new location on condition flags 


CALL 2 Call subroutine 


INT 2 User interrupt 


RTI 4 Return from interrupt 


GPSW 3 Get program status word 


PPSW 3 Put program status word 


LD 1 Load register 


ST 1 Store register 


LSL 1 Logical shift left 


LSR 1 Logical shift right 


ASR 1 Arithmetic shift right 


RTN 3 Return from subroutine 


LDI 2 Load register using immediate value 


STI 2 Store register using immediate value 


ADD 1 Add 


ADDC 1 Add with carry 


SUB 1 Subtract 


SUBC 1 Subtract with borrow (carry) 


BAND 1 Bit -wise conjunction 


BOR 1 Bit-wise disjunction 


BXOR 1 Bit-wise exclusive disjunction 


BNOT 1 Bit-wise negation 


ADD 1 Add using immediate value 


ADDC 1 Add with carry using immediate value 


SUB 1 Subtract using immediate value 


SUBC 1 Subtract with borrow using immediate value 


BAND 1 Bit-wise conjunction using immediate value 


BOR 1 Bit-wise disjunction using immediate value 


BXOR 1 Bit-wise exclusive disjunction using immediate value 


NO OP I 4 No operation 
























































Table 3: Synthesizing addressing modes using AVM-1 ’s load 
and store instructions. 


Mode 

HLL Usage 

Synthesizing in AVM-1 

Direct 

Indirect 

Indexed 

Indexed 

Global Scalar 
Pointer Dereferencing 
Record Field 
Array Element 

M[R[a] + imm] 
M[R[A] + R[0]] 
M[R[a] + imm] 
M[R[a] + R[b]] 


. In direct mode, the A register holds the base of the data segment and the immediate value allows 
addressing within ±2 15 of the base. 

• In indirect mode, the A register holds the value of the pointer. R[0] holds the constant 0. 

. To perform memory operations on records, the A register hold, the base address of the record 
and the immediate field holds the held offsets into the record. 

. Array operations are performed by using the A register to hold the base address of the array and 
the B register hold the index. 


1.2.8 Selecting Instructions. 

opcode field, giving space for 32 instructions. 

Table 4 vives a breakdown of the opcodes for AVM-1 . The instruction set is divided into four groups 
version of the instructions in group 3. 


1.3 An Organizational View. 
We will discuss each of these. 


1.8.1 The AVM-1 Datapath, 
shown. 
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Figure 2: The AVM-1 Datapath 



















Table 4: Opcode breakdowns for AVM-J ’• instruction set. 


— r 

ooxxx 

01 XXX 10 XXX lixxx 

000 

JMP 

LSL 

ADD 

ADDI 

001 

CALL 

LSR 1 

ADDC 

ADDCI 

010 

INT 

ASR 

SUB 

SUBI 

Oil 

RTI ~ 

RTN 

subc”1 

SUBCI 

100 

GPSW 

NOOP 

BAND^ 

BANDI 

101 

PPSW 

NOOP 

BOR 

BORI 

110 

LD 

LDI 

BXOR 

BXORI 

111 

ST 

STI 

BNOT 

NOOP 


The datapath hat thtee hates, a register «e — ^ X “I’t- 

and latches. Two buses, A and B, are connec e register file and the system registers. In 

The « and B hates feed the inpats to the ALU through two A«fml 

can also serve as the * inpa, to the ALU through a multiplexor on t^eALU^np^t.^ To ^ ^ ^ 

rthelTerT^'^pVrfo'r: ££ and arithmetic shifts. The result from the 

shifter is put onto the C bus for distribution. 

In addition to a result, the ALU produces a 

which can be saved in the program status wor r y control lines to the 

the hi. shifted out of the shifter to he saved m the carry Md of «£jWJh sUtM hits 

PSW allow the supervisor and interrupt enable bits to be set and cleared 

to be loaded individually. 

The status from the PSW and the destination field of fthe “^d suppto 

— - ‘ hould be ,oaded from c b, “' 

The program counter can also be loaded uncondition y. 

, , , , r nTn t v. c h us but only the immediate portion of the 

The instruction register can be loaded from the C bus, dui y 

instruction register can be placed on the B bus. 

ThJir^utn 


for loads and stores. 

The datapath has two flipflops for holding the status of intem.pt action, 
for decoding register selection signals from the control umt. 


and three demultiplexors 
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Table 5: Implementation of the jump codes for the JKP instruc- 
tion. cf is the carry flag in the PSW, zf is the zero 

flag, etc. 


Code 

Implementation 

0 

cf 

1 

1 cf 

2 

vf 

3 

-ivf 

4 "* 

nf 

5 i 

->nf 

6 

zf 

7 

->zf 

8 

(-tcf Vzf) 

9 

— >( — >cf Vzf) 

10 

(nf xor vf ) 

11 

->(nf ©vf) 

12 

-((nf ©vf) Vzf) 

13 

((nf ©vf) Vzf) 

14 

true 

15 

true 


1.3.2 The Control Unit. 

The control unit for AVM-1 i. shotsn in Figure 3. The control unit has four major blocks: the 
microprogram counter, the microinstruction register, the clock, and the nucrorom. 

The microprogram counter is the most complex of the four The 
counter is to compute the next address for the ™ropr<*xmn J^ed on c 

the program counter. There are 5 jump conditions. 

1. No jump: the microprogram counter is incremented. This is the default operation. 

2. Jump to addr unconditionally 

3. Jump to the location given by the opcode signal and an ofie. (4 in .Ms 

4. Jump to addr if the interrupt signal is true and interrupts are enabled. 

5. Jump to addr if the supervisory mode signal is true. 
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clkl 


clk2 


clk3 


clk4 



Figure 4: The clock signals in AVM-1 . 

The microinstruction register is a 40-bit register that holds the current microinstruction. The only 
special feature of the register is that each of the fields from the microinstruction are available through 
separate ports for use elsewhere in the control unit and datapath. 

The microinstruction format is shown in Table 6. A microinstruction consists of 40 bits in 24 
fields. The fields in a microinstruction can be broken into 4 groups: those affecting the operation of 
the microprocessor, those affecting the program status word, those dealing with external signals, and 
those that are used for microinstruction sequencing. For a detailed description of the microinstructions, 
see [Win90a]. 

The clock is a simple four-phase counter with a strobe line for each phase. Figure 4 shows the 
output timing for the clock. The clkl line, for example, is only true during phase 1, the clk2 line is 
true during phase 2, and so on. 

The microrom holds the microcode and is made from a read-only memory that is 40— bits wide and 
64 words long. 


1.3.3 Timing. 

The timing of AVM-1 is based on a four phase clock (6ee Figure 5). During the four phases, the 
machine performs the following state transitions: 

1. In phase 1, the microinstruction register is loaded from the microrom. 

2. In phase 2, the latches feeding ALU are loaded from the register file and system registers. 

3. In phase 3, the results from the ALU and shifter are calculated. In addition, the MAR cam be 
loaded from the PC in this phase. 

4. In phase 4, the result calculated in phase 3 is stored back into the register file and system registers. 
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Table 6'. The microinstruction format for AVM 1 


Mnemonic 

AMUX 

Description 
Toggle MUX on A-bus 

SHFT 

Shifter function 

ALU 

MAR 1 

ALU function 

Load MAR from P-Mux 

HBR 

Load MBR from C-bus 

PMUX 

Toggle MUX loading MAR 

SRCA 

A-bus source 

SRCB 

B-bus source 

TRGT 

C-bus target 


P rogram Status Word Group 

Bits Mnemonic Description 
— 1 sTsM Set superviso 


C_SM 

S_IE 

C_IE 

LD.C 

LD_V 

LD_N 

LD.Z 

CSEC 


Set supervisory mode bit in PSW 
Clea r supervisory mode bit in PSW 
S et interrupt enable bit in PSW 
Clear interrupt enable bit in PSW 

Load carry bit in PSW 

Load overflow bit in PSW 

L oad negative bit in PSW 

L oad zero bit in PSW 

Source of carry (shifter or alu) 


External Signa ls Group 

Bits | Mnemonic Description — _ 

— I JACK Interrupt acknowledge signal 

I FTCH ~ Fetch signal 

1 r 5 Read signal 

I i WR Write signal 

Mic roprogram Counter Group 

Bits "Mnemonic Description 

3 COND Microcode jump condition 

6 ADDR Next address 
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Figure 5: A PERT phase diagram for AVM-1 . 

Every microinstruction is executed by the phase sequence described above. Since microinstructions 
are used to implement the macroinstructions, the timing for a macroinstruction is dependent on the 
number of microinstruction in its implementation. In most cases this n um ber is 4. 


2 The Organization of the Proof 


This section presents the organization of the proof of AVM-1 in HOL. The section discusses the overall 
proof organization, gives a description of the theories making up the proof and gives some measurements 
of the complexity of the proof. 


2.1 Proof organization 

The proof for AVM-1 contains more than 25 theories. This section presents the general proof organi- 
zation (the hierarchy of theories) and briefly describes the contents of each theory. 

Figure 6 shows how the major theories of the proof of AVM—1 are related. This hierarchy 
shows avm . th as the child theory of a long ancestry that follows the hierarchical decomposition discussed 
in [Win90a]. The picture is not complete; there are many theories not shown. For example, auxjief . th 
is the ancestor of almost every theory in the proof. 

The rest of this section gives a taxonomy of the major theories in the proof of AVM-1 . 
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Figure 6: The theory hierarchy for the proof of AVM-1 . 

Generic Interpreters. The generic interpreter theories include the synchronous model, the temporal 
abstraction theory, and the asynchronous model. 

. gen J-£ync.th - Defines and verifies a synchronous version of the generic interpreter theory. 

. time.abs.th - Defines a temporal abstraction function and proves several useful lemmas con- 
cerning it. 

. genJ.th - Contains the generic definition of an integer used in the definition and proof of 
the various levels in AVM-1 . 


Auxiliary Theories. There are a number of auxiliary theories that are used throughout the proof 
of AVM-1 . 










x-defs.th - Contains the abstract definition for n-bit words. The definition is accomplished 
ng thl functions in abstract .nl, the ML code for producing abstract theories. 

x-thms.th - Contain, auxiliary definition, and theorems. The theory is an ancestor of many 
the main theories in the proof. 


jumpjdef.th - Contains the definition of the jump condition logic that is used at every level. 

reg.xlef.th - Contains the definition of the register file. Several distinguished register, are 
defined and the function for updating the register file is given. 
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The Electronic Block Model. The electronic block model description depends on a number of 
theories. The definition makes use of a generic ALU that is subsequently instantiated to define the 
ALU used in AVM-1 . The shifter and microprogram counter are also defined separately. 

• muxlGjdef.th — Contains the definition of a 16 input multiplexor that is used in the definition 
of the generic ALU theory. 

• gen.alu.th — Contains the abstract definition and verification of a 16 function ALU. 

• alu.def.th — Contains the instantiation of the generic ALU theory presented in the last section 
for a specific set of functions. The correctness result is meaningless since the modules used to 
implement the functions are null modules. This does not affect the validity of the proof presented 
here since only the definition is used in subsequent theories. A number of theorems about the 
ALU’s output are proven here and are used in subsequent proofs. 

• shifter -def.th — Contains the definition of a 4 function shifter that is used in defining the 
electronic block model. A number of theorems about the shifter’s output are proven here and are 
used in subsequent proofs. 

• mpc.def.th — Contains the definition of the microprogram counter unit that is used in the 
definition of the electronic block model and the phase-level. 

• mpc.def.th — Contains the definition of the state selectors for the electronic block model. 

• block.def.th — This theory contains the definition of the electronic block model. The theory 
contains the definition of most of the blocks used to construct the electronic block model. 

The Phase-Level. This section presents the theories that define the phase-level interpreter. Also 
presented is the theory that verifies the phase-level interpreter with respect to the electronic block 
model. 

• ucode^aux.ml — Contains the ML code that defines the microcode assembler. No theory is 
created; the assembler is an ML program that creates the appropriate terms for a given program 
statement. 

• ucode.def.th — Defines the type for the microcode as well as a number of selector functions 
that return the various fields that make up a microinstruction. 

• phase _def.th — Defines the abstract behavior of the 4 phase-level instructions and gives several 
auxiliary definitions used in instantiating the abstract interpreter theory. 

• phase. th — Contains the correctness result for the phase-level. The result is obtained by 
instantiating the generic interpreter theory contained in gen_I.th. 
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The Micro-Level. This section presents the theories that define the micro-level interpreter. JUso 
printed iHh. theory that verifies the micro-level interpreter with respect to the pha^level enter- 

preter. 


. micro jdef.th - Defines the abstract behavior of the 64 micro-level instructions and gives several 
auxiliary definitions used in instantiating the abstract interpreter theory. 

• uinst_def.th — Defines the microinstructions and combines them together into the microrom. 

. micro.th - Contain, the correctness result for the micro-level. The result is obtained by 
instantiating the generic theory gen_I.th. 


The Macro-Level, 
presented is the theory 
preter. 


This section presents the theories that define the macro-level interpreter. Also 
that verifies the macro-level interpreter with respect to the micro-level inter- 






macro-def.th - Defines the abstract behavior of the 32 macrc^-level instructions and gives 
several auxiliary definitions used in instantiating the abstract interpreter theory. 

macro. th - Contains the correctness result for the macro-level. The result is obtained by 
instantiating the generic theory genJ.th. 


The Final Result. This section present, the theory that prove AVM-1 correct. The theory is the 
descendant of all of the theories presented earlier. 

• avm.th - Contains the correctness result for the microprocessor The final result is obtained 
by combining the correctness results from phase. th, micro.th and macro. th. 


2.2 Proof Metrics. 

Table 7 presents the rnn-times for the various theories in the proof on a SPARCStation with 16 Mbytes 
^memory. The times are CPD seconds. The table also give. tit. "^ ^^ 1 “^^ 
to run the corresponding ML script in HOL. We were using version 1.10 of HOL built using 

Kyoto Comm on Lisp compiler. 

The total time to run the proof was 208029.1 CPU seconds, or nearly 58 CPU J h '^ 
took almost a week of elapsed time because the core image, were quit, large (a. high as Mbyte.) 
and caused the operating system to thrash when garbage collecting. 

There are several files in the table that were not discussed in the last section. Due to size limi- 

tati^rai" Tthe file, -i~f.nl and f ™ ™ ^ 

and mkjnac-I .ml, mkjnac_l .ml, and mk.mac_2.ml were broken out of mk.macro.ml. 
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Table 7: Script run-times on a SPARCStation with 16M of memory. 


File Name 

Time (CPU sec.) 

Inferences 

def_aux.ml 

3070.7 

88 

mk_aux.ml 

1117.5 

33852 

deLregs.ml 

41.0 

14 

def_.jump.ml 

50.7 

4 

def_macro.ini 

2373.5 

84 

mk _time. ml 

126.8 

7256 

mkJ.ml 

229.9 

11727 

defjnicro.ml 

7063.6 

48460 

def_mpc.ml 

6.4 

4 

def.ucode 

115.6 

50 

def_phase.ini 

915.2 

32 

def_muxl6.ini 

344.2 

29211 

mk-gen_alu.ini 

8038.4 

101155 

def_alu.ml 

2325.3 

70815 

defjshift.ml 

129.0 

2891 

def ^select. ml 

1969.0 

43903 

def.block.ml 

1316.0 

14738 

mk-phase.ml 

12818.4 

355161 

def.uinst 

568.5 

107 

mkjnicjcl.ml 

54846.2 

1589683 

mk_mic_x2.ml 

51300.6 

1500604 

mk_micro.ini 

13505.3 

295744 

mkjnacJ.ml 

688.3 

3985 

mk_mac_l.ini 

16774.1 

389738 

mk_mac_2.ml 

20256.1 

457606 

mk_macro.ini 

7247.9 

200120 

mk.avm.ml 

790.9 

10031 


208029.1 

5167063 



3 The Proof 


section documents the HOL theories that make up the proof discussed in [Wm90a], 
code for each theory is presented. The proof organization is presented in Section 2. 


The HOL 


3.1 The Generic Interpreters 


3.1.1 Synchronous Interpreters 

This section presents the ML code that creates the theory gen_I.sync.th. 


File: 
Author : 
Date : 
Modified: 


ak.I.al 

(c) P. J. Vindley 1990 
09 JAI 90 
14 FEB 90 


Description: 

Defines a generic interpreter used in subsequent specifications. 
The interpreter is proven to be correct under certain obligations. 
The interpreter in this file is synchronous. 


2/13/90 — Modified to take external lines into account 


X 


»at_*aarch_path (s#arch_path() • 


[‘ /muztag/hoB*/windl ay /hoi/ tactics/ * ; 

* /auztag/hoaa/windlay/hol/ml/ ‘ ; 

‘ /*uztag/homa/»iiuil*y/hol/Library/assoc/ ‘ ; 

1 );; 


aystaa Vbin/m gan.I.sync . th‘ ; ; 
naw_thaory 1 g#n_I_*ync ‘ ; ; 


up load* [‘abstract*] ; ; 
ngw_typa_abbr*T( *ti*a 1 :nu*") ; ; 

tt*W-typ#„abbraT(‘ti»a ‘ ‘ ; ; 

% 

Ganaric spacif ication 


lat cpu.abs * naw_abstract_raprasantation 
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t 

( * in»t_list * , ” : (*k*y#(*stat*->*«nv->**tat*) ) list’*) 

( * kay ' , " : *kay->nu»" ) 

Caalact ‘ :*atata->*anv->*kay") 

» 

( ' cyclas ‘ *kay->nuB" ) 

* 

( ' substata * , " : *st at a * ->*stata ,f ) 

( * subanv * *an r ’ ->*anv" ) 

* 

( ' Xapl * . " : (t iaa * ->*atata ’ ) ->(ti*a ’ ->*anv ' ) ->bool") 

t 

('count c t ":♦stata’->•env , ->♦kay M, ) 

i 

( ‘ start * »kay M *) 


aaka.inst.thns cpu.abs; ; 

lat I.rap.ty » abstract.typa 'gan.I.sync' 'key*;; 

lat IITERP.daf * nav.daf ini t ion 
( ' IITERP 1 , 

H • (rap: ~I.rap.ty) (s : ti»e->*stata) (a : tine->*anv) . 
IITERP rap s a - 
!t : tima . 

lat n * (kay rap (salact rap (s t) (• t))) in ( 
s(t+l) ■ (SID (EL n (inst. list rap))) (s t) (a t))" 

);; 

lat IITERP.DEF.EXP AIDED - EXPAND. LET. RULE IITERP. daf ; ; 


lat inst.corract.daf ■ naw.daf inition 
( * IIST.CORRECT 1 , 

w ! inat : (*kayt (*stata->*anv->*stata) ) 

(s' :tiaa’->astats’) 

(a* itina'-^aanv') . 

INST. CORRECT rap s' a * inst * 

(Iapl (rap: ~I.rap.ty) s' a*) ■*> 

(!t:tina' . 

lat s * (\t » (substata rap (s' t))) in 

lat a ■ (\t. (subanr rap (a' t))) in 

lat c * (cyclas rap (salact rap (st) (a t))) in ( 

(salact rap (s t) (a t) - (PST inst)) /\ 

(count rap (s' t) (a* t) - (start rap)) “> 

((SID inst) (s t) (a t) - (s (t + c))) /\ 

(count rap (s' (t + c)) (a' (t + c)) * (start rap))))° 


lat IHST.CORRECT.EXPAIDED - BETA.RULE (EXPAND. LET. RULE inst.corract.daf) 
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naw.thaory.obligationa 

l 

‘♦EVERY (IIST.CORRECT (rap: ~I_rap_ty; 

(g f : t in a * at at a * ) 

(«» :ti*a’->aanv') ) 

(inat.liat rap)" 

••!k:*k.y. (key (r*p:*I_r.p_t,) k) < (LEMGTH (i»*t_li.t rep))" 

<* ;k:*k«y . k - (FST (EL (key (rep: ‘I.rep.ty) k) (inst.list r«p))) 

I 

3 ;; 


l*t IMPL.HEXTSTATE.LEMMA “ TAC.PROOF 

s - (\t:ti*e . (substate rep (s’ t))) and 
• » (\t:ti*e . (subenv rep (e’ t))) in ( 

(I»pl (rep: 'I.rep.ty) ) s’ e’ -=> 

(« t :ti»a * . 

(count rep (s’ t) (e’ t) - (start rep)) «*> 

((substate rep (s’ (t+(cycles rep (select rep (s t) 
(SHD (EL (key rep (select rep (s t) (e t))) 
(inst.list rep))) (s t) (e t))))"). 


(e t)))))) - 


EXPAHD.LET.TAC 
THEM BETA.TAC 
THEM REPEAT STRIP _T AC 
THEM POP.ASSUM.LIST (\asl . 

1#t «p (PURE.REVRITE.RULE [EVERY.EL ; INST.CORRECT.EXPAHDED] ) asl in 
MAP .EVERY ASSUME. TAC 
(■ap 
(\tha. 

(SPEC "(kay (rap: ~I_rap_ty) 

(aalact rap 
(aubatata rap(s’ t)) 

(subanv rap (a* t))))" thm) ? 

(SPEC “(aalact (rap : ‘I.rap.ty) 

(aubstata rap(a' t)) 

(aubanv rap (a* t)))" thm) ? 
thm) uV» 

^ “plIsL (Nth*. ASSUKE.TAC (REVRITE.RULE □ (SPEC "t:ti«- th.))) 
THEM RES.TAC 

THEM FIRST.ASSUM (ACCEPT.TAC o STM. RULE) 

);; 


let IMPL.MEITSTATE_LEMKA.EXP AIDED - 

BET A .RULE ( 

EXPAID.LET.RULE IMPL.IEITSTATE.LEKMA) ; ; 


let tine .shift » nes_pri*_rec .definition 
(‘ti*e_shift 1 , 

M (ti*e_shift f (s:ti*e->*state) (e:ti*e->*ene) 0 


0 ) /\ 


(tina. shift is# (SUC n) * ( 

l#t t * (tina.shift 1 s • n) in 
t ♦ (f (s t) (• t))))“ 

);; 

1st I. CLOCK. LEMMA - TAC.PROOF 
((□ • 

"lat s ■ (\t:tima .(substata rap (s' t))) and 
• * (\t :tin# . (subanv r#p (a' t))) in ( 

(Inpl r#p) s' a* /\ 

((count r#p) (a 1 0) (a' 0) * (start r#p)) **> 

!t. l#t t.inpl * 

(tina.shift (\st anv . (cyclaa r#p (s#l#ct rap at any))) a a t) in 
(count (rap: ~I_rap.ty)) (s' t.inpl) (a' t.inpl) - (start rap))"), 
EXPAMD.LET.TAC 
THEM BETA.TAC 
THEN REPEAT GEH.TAC 
THEN STRIP.TAC 
THEN INDUCT.TAC 

THEN REVRITE.TAC [tin# .shift; o.DEF;LET_DEF] 

THEN ( FIRST. ASSUM ACCEPT.TAC ORELSE ALL.TAC) 

THEN POP.ASSUM (\thm. ASSUME.TAC 

(CONV.RULE (TOP.DEPTH.CONV BETA.CONV) 

(ONCE.REVRITE.RULE [o.DEF] thn))) 

THEN BETA.TAC 

THEN POP.ASSUM.LIST (\asl . 
lat asl * * 

nap (PURE.REVRITE.RULE [EVERY.EL; IIST.CORRECT.EXPANDED] ) asl in 
KAP.EVERY ASSUME.TAC 
(nap 
(\th». 

(SPEC M (kay (rap : "I.rap.ty) 

(salact rap 
(subs tat a rap 
(a * 

(tina.shift 

(\st any. cyclas rap(salact rap at any)) 

(\t'. substata rap (s' t')) 

(\t'. subanv rap (a* t')) t))) 

(subanv rap 

(a* 

(tin# .shift 

(\st any. cyclas rap(salact rap st any)) 

(\t'. substata rap (s' t * ) ) 

(\t'. subany rap (a' t')) t)))))" thn) ? 

(SPEC " (salact (rap: ~ I.rap.ty) 

(substata rap 
(s' 

(tina.shift 

(\st any. cyclas rap(salact rap st anv)) 

(\t'. substata rap (s' t * ) ) 

(\t ' . subany rap (a ' t ' ) ) t ) ) ) 

(subany rap 

(a' 

(tina.shift 
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(\*t «nv. cycles rep(select rep st *nv)) 
(\t*. substste rep(s' t’)) 

(\t'. subenv rep (•’ t*)) t))))" th») ? 

thm) Ml’)) 


TO* POP.ASSUM (\th». ASSUME.TAC (REVRITE.RULE □ 

(SPEC "(time.shift , , _ . 

(\.t «i. cycles (rep: *I_rep_ty) (-l.ct r.p .t 

(\t’. substete rep(s’ *’)) 

f\t'. suben? r#p (•’ t’>) t) :ti»e’" th»))) 


TO* RES.TAC 

);; 


l.t I.CLOCK.LEKKA.EIPIHDED - 

BETA.RULE ( 

FTP AMD LET RULE I.CLOCK.LDWA) ; ; 


l*t IKPL.I.CORRECT - prove.ths 
CIMPL.I.CORRECr , 

»l*t s « (\t:ti*e . (substete rep (s’ t))) Md 
• m (\t:time .(subenv rep (•’ t))) in ( 

acoLHr.p-'l’/.P-ty)) (s’ 0) (e* 0) - (start r.p)) --> 
l.t 1 » tise.shift (\st env. (cycles rep (select rep st en )) 

(IBTERP rep) (s o i) (e o *)>". 

EXPAMD.LET.TAC 
TO* BETA.TAC 
TO* REPEAT GEH.TAC 

THE* PURE.REWRITE.TAC [IHTERP.DEF.EXPAHDED; o.DEF] 

Tffil (PURE.OHCEJffiWRITE.RULE [o.DEF] I.CLOCK.LEHMA. 

THE* CEH.TAC 
THE* BETA.TAC 

TO* PURE.OHCE.REVRITE.TAC . . n 

[EXPAHD.LET.RULE (REVRITE.RULE [ADDl] tuie.shlit)] 

TO* BETA.TAC . 

TO* POP.ASSUM (\x. ASSUME.TAC (SPEC "tstiB.* *)) 

TO* IMP.RES.TAC IKPL.HEXTSTATE.LEMMA.EXP AIDED 

);; 


•nr)) 


s • in 


EXP AIDED) 


cloftft.thftoryO ; ; 


3.1.2 Temporal Abstraction 


This section presents the ML code that creates the theory time_abs.th. 
X 


File: mk.time.ml 

Author: (c) P. J. Vindley 1990 

Date: 19 FEB 90 

Modified : 

Description: 

Creates a theory of temporal abstractions as defined in [1,2]* 
The theory defines several teaporal operators and a temporal 
projection function that can be used to relate time at 
different levels of abstraction. 

[1] Kelhaa, Thomas F., “Abstraction Mechanisms for Hardware 
Verification'* 

[2] Joyce, Jeffrey J. p “Multi-Level Verification of 
Microprocessor-Based Systems" 


% 

set_search_path (search_path() • [Vauztag/home/windley/hol/tactice/‘ ; 

Vmuztag/home/windley/hol/ml/ * ; 

* /muztag/home/windley/hol/Library/ assoc/ * 

]);; 

system Vbin/rm time.abs . th* ; ; 

new.theory ‘time.abs*;; 

new_type_abbrev('time* ,":num">; ; 

let First * nev.def inition 
(‘First*, 

"! g t. First g t - 

( !p:tia«. p < t --> *(g p)) /\ 

<g t)" 

);; 

let lext * nev.def inition 
( 'lezt * , 

"! g tl t2 . lezt g (tl ,t2) ■ 

(tl < t2) /\ 

( ! t : time . tl < t /\ t < t2 -*> ~(g t)) /\ 

(g t2)“ 
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);; 

l«t Tsap.Abs “ nsw.pria.rsc.dslinition 
(•Tsap.Abs'. 

"(Tsap.Abs g 0 - • t :tias . First g t) A 
(Tsap.Abs g (SUC n) - • t:tias . Bsxt g (Tsap.Abs g n,t)) 

);; 


1st LEHKA1 - 
GEB.ALL ( 

DISCH.ALL ( 

C0BJUHCT2 ( 

SELECT.RULE ( 

ASSUME "?t:tia«. MAP t")))).» 


1st FIRST.LEMHAl « TAC.PROOF 

(([] . 


•*! 1 . 

(? t:tias . M) A 

( !t . 1 t --> (?n. Hsxt Kt.t + a) A r(t,t + 
? t . First 1 t") , 

REPEAT GEH.TAC 

THEB STRIP.GOAL.THEH ((MAP .EVERY ASSUME.TAC) 

t wf.II IMP.RES.TAC WOP 

THEB PURE.OHCE_REWRITE.TAC [First] 

■ niF.il pURE.OHCE_REWRITE.TAC [COHJ.SYM] 


n))) — > 


o COHJUHCTS) 


THEB ASM.REWRITE.TAC [] 


1st FIRST.LEMMA2 - 
GEB.ALL ( 

REWRITE.RULE [STM.RULE First] ( 

IMP.TRAHS 

(SPEC.ALL ( 

REWRITE.RULE [First] FIRST.LEMMAl) ) 
(BETA.RULE ( 

specl [”\t. ( !p. p < t --> *(f p)>”; 

"\t. (1 t):bool"] LEMMA1))));: 


1st BEXT.LEMMAl ■ TAC.PROOF 

((□." 


••! la . 


(? t:tias . 1 t) A 

(!t. 1 t “> (?a. Bsxt l(t,t + n) 

(1 (Tsap.Abs la)) — > 

T t. Bsxt 1 (Tsap.Abs 1 a, t)"), 
REPEAT STRIP.TAC 
THEB RES.TAC 

THEB ASSUM.LIST (\asl . MAP .EVERT 
THEB EXISTS.TAC "(Tsap.Abs 1 a) + 
THEB ASSUM.LIST (\*sl. FIRST (aap 


A r(t.t + a))) A 


STRIP. ASSUME.TAC asl) 
a’" 

ACCEPT.TAC asl)) 


1st BEXT.LEMMA2 - 
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GEI.ALL ( 

REVRITE.RULE [SYM.RULE Mart] ( 

IMP.TRAIS 

(SPEC. ALL ( 

REVRITE.RULE [laxt] IEXT.LEHKA1)) 

(PURE_OICE.REVRITE.RULE [SYM.RULE C0IJ.ASS0C] ( 

BETA.RULE ( 

SPECL [”\t. ((Taap.Aba fa) < t) /\ 

( !t ’ . (Taap.Aba i a) < t* /\ t‘ < t —> 'f t')“; 
“\t. (f t) :bool"] LEMMA1) )))) ; ; 

lat ALL.F.Taap.Aba » TAC.PROOF 

((□. 

" ! 1 . 

(? t:ti a* . f t) A 

(!t. f t ■»> (?n. I*xt f(t,t + n) /\ r(t,t ♦ n))) ■■> 

. 1 (Taap.Aba f a)"), 

REPEAT GEI.TAC 

THEE STRIP.GOAL.THEH ((MAP.EVERY ASSUME.TAC) o COIJUNCTS) 

THEI IIDUCT.TAC 

THEM REVRITE.TAC [Taap.Aba] 

THEHL [ 

IMP.RES.TAC FIRST.LEMMA2; 

IMP.RES.TAC IEXT.LEMMA2 

] 

);; 


lat OME.OR.THE.OTHER - TAC.PROOF 
((□. 


"! a b . "(a » b) ■«> (a < b \/ b < a)"), 

IIDUCT.TAC 

THEI IIDUCT.TAC 

THEI ASM.REVRITE.TAC [SYM.RULE IOT_SUC;LESS.O; 

IIV.SUC.EQ ; LESS.MOIO.EQ] 


lat Pirst.UIIQUE ■ prora.tha 
CPirat.UIiqUE' , 

" ! g tl t2 . 

(Firat g tl /\ Firat g t2) »«> (tl 
PURE.OICE_REVRITE.TAC [Firat] 

THEI REPEAT STRIP. TAC 
THEI ASM.CASES.TAC “tl - t2" 

THEI ASM.REVRITE.TAC □ 

THEI IMP.RES.TAC OME.OR.THE.OTHER 
THEIL [ X 1 % 

ASSUM.LIST (\aal. ASSUME.TAC ( 
SPEC "tl:tiaa“ (#1 4 aal)>) 

; X 2 X 

ASSUM.LIST (\aal. ASSUME.TAC ( 
SPEC “t2:tiaa“ (al 4 asl))) 


THEI RES.TAC 


t2) " , 
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l*t Haxt.UHIQUE « prova.tha 
(•■•xt_U*IQUE\ 

•' !t tl t2 i . 

(■•xt i (t.tl) A Haxt f Ct.t2)) - 
PURE.O*CE_REHRITE_TAC [H«xt] 

THEM REPEAT STRIP.TAC 
THE! ASM.CASES.TAC "tl » t2" 

THE* ASM.REVRITE.TAC [] 

THEM IMP.RES.TAC OHE.OR.THE.OTHER 
THE1L [ X 1 % 

ASSUM.LIST (\ul. ASSUME.TAC ( 
SPEC (*1 * Ml))) 

; X 2 X 

ASSUM.LIST (\ul. ASSUME.TAC ( 
SPEC "t2:time" (*1 7 Ml))) 

3 

THE* RES.TAC 


l.t *EXT_CH00SE_ LEMMA » TAC.PROOF 

((□i 

"!1 u n . 

(?t. f t) A , ... ,. 

( !t . j t — > (?n. Hext f (t.t + n) A r(t.t + n))) /\ 
l*xt l(T«p_Abs f u, (Tamp.Abs 1 u) + n) “> 

((•t. *axt t (Taap.Abs t u.t)) - C (Tamp.Abs f u) + n))"). 

REPEAT GEH.TAC 

THE* STRIP .GOAL.THE* ((MAP .EVERY ASSUME.TAC) o COHJUHCTS) 

THE* MATCH.MP.TAC 

(SPECL ["Texp.Abs f u"; 

"(•t. *ext i(T«»p_Aba f u,t))"; 

" (Taap.Abs 1 u) + n"; 

"f :nuM->bool"] Hext.UHIQUE) 

THE* ASM.REWRITE.TAC □ 

THE* COHV.TAC SELECT.COKV 
THE* IMP.RES.TAC ALL_F_T«xp_Abs 
THE* IMP.RES.TAC 

(SPECL ["1 :nux->bool" ; 

"u:ti»«"3 HEXT.LEMMAl) 

THE* ASSUM.LIST (\aal. ACCEPT.TAC 

(REHRITE.RULE [•! 3 aal] (al 1 aal))) 


lat IBF.Taap.Aba » proya.th* 

('I*F_T«p_Abs‘ , 

"« i r. 

(? t:ti»a . f t) A , .. 

(• t:ti*a . 1 t “> ? n • *axt t (t,t+n) A r(t,t-*n)) “> 

! u . r (Taap.Aba 1 u. Taap.Aba f (u+1))", 

REPEAT GEH.TAC 

THE* STRIP .GDAL.THE* ((MAP .EVERY ASSUME.TAC) o C0*JU*CTS) 
THE* REPEAT GEH.TAC 
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THEM IHP.RES.TAC ALL_F_T#*p_Abs 

THE! PURE_OICE.REWRITE.TAC [STM.RULE ADD1] 

THE! ASM.REWRITE.TAC [Tssp.Abs] 

THE* ASSUM.UST (\asl . STRIP.ASSUME.TAC ( 
REWRITE.RULE [«1 1 ul] 

(SPEC *T«p_Ab» 1 u" (*1 3 Ml)))) 
THE! IKP.RES.TAC NEXT.CHOOSE.LEMMA 
THE! ASM.REWRITE.TAC [] 

);: 


1st Tssp.Abs. DEGENE RATE ■ prors.th* 

( ' Tsmp.Abs .DEGENERATE * . 

"Tsap.Abs (\t:ti*s.T) - I", 

CONV.TAC ( DEPTH _CONV FUN.EQ.CONV) 

THEN INDUCT.TAC 

THEN ASM.REWRITE.TAC [Tsxp.Abs ; I.THM] 

THENL [ % 1 I 
MATCH.MP.TAC 

(SPECL ["\t ’ :ti»s.T"; 

"•t. First (\t’:tims.T) t" 
" 0 "; 

] First.UNIQUE) 

THEN CONV.TAC (DEPTH.CONV SELECT.CONV) 
THEN REWRITE. TAC [First ;NOT_LESS.O] 

THEN EXISTS.TAC "0" 

; % 2 X 

MATCH.MP.TAC 

(SPECL ["n:ti»s"; 

"•t. Nsxt (\t:tims.T)(n,t) 
»SUC n"; 

•*Vt * :ti»s.T"] Nsxt .UNIQUE) 
THEN CONV.TAC (DEPTH.CONV SELECT.CONV) 
THEN REWRITE.TAC [Nsxt ;LESS_SUC_REFL] 

THEN CONJ.TAC 
THENL [ X 2.1 % 

EXISTS.TAC "SUC n" 

-, 12.21 

ALL.TAC 

] 

] 

THEN REWRITE.TAC [LESS.SUC.REFL ; LESS.LESS.SUC ; 
NOT.LESS.O] 



3.1.3 Asynchronous Interpreters 


This section presents the ML code that creates the theory genJ.th. 


Fila: 
Author : 
Data: 
Modified: 


«k_I 

(c) P. J. Bindley 1990 
09 JAH 90 
19 FEB 90 


Da script ion: 

Defines a g.neric interpreter used in subsequent .p.cilications . 
Th. int.rpr.t.r is proven to b. correct under certain obligation*. 
Th. int.rpr.t.r in this iil. is synchronous. 

2/13/90 -- Modified to talc, external lin.s into account. 

2/19/90 — Modified to aak. asynchronous. 




s.t_s.arch_path (s.arch_path() • 


[ ‘ /auztag/hoae/sindley /hoi/ tactics/ ' ; 
‘/auxtag/hoae/sindley/hol/al/ 4 ; 

« /auztag/hoae/windley/hol/Library/assoc/ 4 ; 

]);; 


systea 4 /bin/ra gen.I .th‘ ; ; 
n.w_th.ory 4 gen.I ‘ ; ; 
map loadf [‘abstract 4 ];; 

■ap load.parent [‘tiae.abs ];; 
n .«_typ._abbr.y ( 4 1 iae 4 . 1 " : nua" ) ; ; 
new.type.abbrev ( 4 tia. ’ 4 ,”:nuB") ; ; 

X 

G.n.ric specification 

let cpu.abs - new.abstract.repeesentation 

^(‘inst.list 4 : C*keyt(*state->.*nT->*state))li»t”) 


('key 4 , M :*key->nua") 

(‘select 4 ,":*state->*env->*key") 
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( ' aubatata* , " : ♦at at* ' -batata") 


( ‘aubanv* /* :#anv 
» 

( ' I*pl * , ” : (tin* • ->*6tat* * ) -> (tin* ’ ->**ny * ) ->bool") 
» 

( ‘ count * , “ : *«t»t* ’ ->*#nv * ->*k*jr ’ ") 

I 

(‘■tart\":*k*y M# > 


]; 


naka.inat.thna cpu.aba;; 

lat I.rap.ty ■ abatract.typa ‘gan.I* ‘kay*;; 

lat IITERP.daf ■ nav.daf inition 
( 1 IITERP 1 , 

" ! (rap: ~I_.rap.ty) (a : ti»a->*stata) (a: ti«a->aanv) . 

IITERP rap a a * 

! t : t i aa . 

lat n ■ (kay rap (aalact rap (at) (a t))) in ( 
a(t+l) « (SID (EL n (inst.liat rap))) (a t) (a t))" 

);; 

lat IITERP.DEF .EXP AIDED - 
BETA .RULE ( 

EXP AID .LET .RULE IITERP.daf ) ; ; 

lat inat.corract.daf ■ naa.daf inition 
( 1 IIST.CORRECT r , 

°! inat : (*kayl(*atata->*anv>*atata) ) 

(a* :tina , ->*8tata > ) 

(a’ rtiBa’-^anv') . 

IIST.CORRECT rap a * a ’ inat - 

(I*pl (rap: “I.rap.ty) a’ a*) ■«> 

( ! t : t ima 9 . 

lat a - (\t. (aubatata rap (a* t))) in 
lat a * (\t. (aubanv rap (a* t))) in 

lat f - (\t. (count rap (a' t) (a* t) - (atart rap))) in ( 
(aalact rap (a t) (a t) * (FST inat)) /\ 

(count rap (a* t) (a* t) * (atart rap)) “> 

? c. 

■axt f (t,t+c) /\ 

((SID inat) (a t) (a t) - (a (t ♦ c)))))” 

);; 

lat II ST. CORRECT. EXP AIDED - 
BETA. RULE ( 

EXPAID.LET.RULE inat.corract.daf ) ; ; 
naw.thaory.obligationa 

c 

"EVERT (IIST.CORRECT (rap: “I.rap.ty) 
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(s' : tima *->astata 0 
(a> :tima'->*anv’)) 

(inst.list rap)" 

*’ ! k : *k.y ■ (k.y (r.p: ‘I.r.p.ty) k) < (LEIGTH (inst.list r.p))’’ 

" !k:*k.y . k - (FST (EL (k.y (r.p: *I_r.p_ty) k) (inst.list r.p)))" 


X.t mPL_IEITSTATE_LEKMA - TAC.PROOF 

((□. , . 

"l.t s ■ (\t:ti*. . (substat. r.p (s’ t))) snd 
• - (\t :ti*. .(sub.nvr.p (.’ t))) and 
1 - (\t. (count r.p (s’ t) (•’ t) - (start r.p))) in ( 
(I»pl (r.p:-X_r.p.ty)) s’ •’ --> 


( !t :tima ’ . 

(count rap (s> t) (a’ t) - (start rap)) ~> 

? c . 

Vaxt f (t ,t+c) /\ 

((substata rap (s’ (t + c))) ■ 

(SHD (EL (kay rap (salact rap (s t) (a t))) 
(inst.list rap))) (s t) (a t))))")» 


EXPAHD.LET.TAC 
THEH BETA.TAC 
THEH REPEAT STRIP. T AC 
THEH POP.ASSUM.LIST (\asl . 

map (PURE.REVRITE.RULE [E VERY. EL ;IHST_CORR£CT_EXP AIDED] ) 
HAP .EVERY ASSUKE.TAC 
(map 
(\thm. 

(SPEC "(kay (rap: "I.rap.ty) 

(salact rap 
(substata rap(s* t)) 

(subanv rap (a* t))))" thm) ? 

(SPEC "(salact (rap: ~I_rap.ty) 

(substata rap(s> t)) 

(subenv rap (a 1 t)))" thm) ? 
thm) asl*)) 

THEH RES TAC 

THEE POP.ASSUH (\th». ASSUME.TAC (REVRITE.RULE □ (SPEC t.tin. 

THEE RES.TAC 

THEE FIRST.ASSUM ( 

HATCH.ACCEPT.TAC o 

(COBV.RULE (OBCE.DEPTH.COBV (RAED_COEV STH_C0EV)))) 

);; 


l.t IMPL.BEXTSTATE.LEMMA.EIPAHDED - 

BETA.RULE ( 

EXPIID.IET RULE MPL.BEXTSTATE.LEMMA) ; ; 


l.t DIPL. I .CORRECT - proT._th» 

(*IHPL_I_CORRECT' , 

s “ (\t:ti*. . (substat. r.p (s’ t))) and 


asl in 


" thn))) 



• ■ (\t:ti*a . (subanv rap (a* t))) and 

f * (\t:ti*a .(count rap (s’ t) (a* t) ■ (start rap))) in 
lat abs - (Tamp. Abs f) in ( 

(Impl (rap: ‘I.rap.ty)) s' a' /\ 

(?t. 1 t) «*> 

(XVTERP rap) (a o abs) (a o abs)) M , 

EXPA*D_LET_TAC 
THE* BETA.TAC 
THE* REPEAT GEN.TAC 

THE* PURE.REWRITE.TAC [IITERP.DEF.EXPAIDED ; o.DEF] 

THE* STRIP.GOAL.THE* ( (HAP. EVERY ASSUHE.TAC) o C0*JU*CTS) 

THE* BETA. T AC 
THE* MATCH.MP.TAC ( 

BETA.RULE ( 

REWRITE. RULE [UNCURRY.DEF] ( 

SPECL [ M (\t:ti*a . (count rap (s’ t) (a 1 t) * 

(start (rap: ~I.rap.ty) ) ))°; 

" (\(tl : tima,t2:ti*a) . 
substata rap (s’ t2) * 

(SND 

(EL (kay (rap: 'I.rap.ty) 

(salact rap 

(substata rap (s’ tl)) 

(subanv rap (a' tl)))) 

(inst.list rap) ) ) 

(substata rap (s’ tl)) 

(subanv rap (a’ tl)))" 

] IHP.TaMp.Abs ) ) ) 

THE* COHJ.TAC 

THE* (FIRST.ASSUM HATCH.ACCEPT.TAC ORELSE ALL.TAC) 

THE* REPEAT STRIP.TAC 

THE* IMP.RES.TAC IMPL.NEXTSTATE LEMMA EXPANDED 

);; 


closa.thaoryO ; ; 
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3.2 The Word Representation 

This section presents the ML code that creates the theory aux.def .th. 


% 


daf _aux.al 


©ascription: 


Defines generic functions used in subsequent specifications. 


Author: (c) P- J- Medley 1989 

Oats: 29 DEC 89 


X 


sst search_path (search.pathO € [ V.u^tag/ho-e/.indl.yAol/tactic./' : 

r < /auztag/ho*a/windlay/hol/»l/ . 


systan ‘/bin/rm aux.def . th‘ ; ; 
nawjthaory ‘ aux.def ‘ ; ; 
load! ‘abstract 1 ;; 
new_type_abbrev ( ' t ine ' , " : nun" ) ; ; 

lat abs_r#p • new.abstract.representation [ 

x ALU functions X 

X addition without carry 7. 

(‘add 4 , " : (awordn # *wordn -> awordn) 

X addition with carry % 

(‘addc‘, M : (awordn # awordn f bool -> awordn) 

X carry pradicata for add 7» 

(‘addp‘, ” : (awordn # awordn # awordn) -> bool 
X predicate carry for addc X 

( * addcp ‘ . ":(**ordn * **ordn * *sordn) -> bool 

X orsrflow pradicata for add X 

" : (asordn # asordn # awordn) bool 

» 

X incraaant X 

( ‘ inc * , 11 : (awordn -> awordn) 

X subtract without carry % 

(‘sub‘, (awordn f awordn -> awordn) 

X subtract with carry % 

( ‘ subc ‘ , M : (awordn # awordn t bool) -> awordn 
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X carry pradicata for aub X 

('subp', (awordn # awordn * awordn) -> bool 

i 

X overflow pradicata for aub 1 
('sorfl', (awordn t awordn # awordn) -> bool 
• 

1 dacramant X 

(Mac', *' : (awordn -> awordn) 

X bitwisa and X 

('band 1 , (awordn # *wordn -> awordn) 

» 

X bitviaa zor X 

('bxor', (awordn# awordn -> awordn) 

» 

X bitviaa or X 

('bor', " : (awordn # awordn -> awordn) 

» 

X bitwiaa not X 

('bnot', ":( awordn -> awordn) 

» 

X Taat functions */, 

X nagativa? % 

('nagp', (awordn -> bool) 

X zero? X 

('zarop', (awordn -> bool) 

» 

X SHIFTER functions X 
X ahift laft X 
('ahl', " : (awordn -> awordn) 

X ahift right X 

('ahx*, " : (awordn -> awordn) 

» 

X arithnatic ahift right X 
('aar', (awordn -> awordn) 

* 

X Bit functions X 

X nost significant bit X 
('nab', (awordn -> bool) 

» 

X laaat significant bit X 
('lab', **: (awordn -> bool) 

» 

X Coarc ion functions X 

X nunaric waul a of n-bit word X 
('▼al', (awordn -> nun) 

X wordn rapraaantation of nunbar X 
('wordn', 11 : (nun -> awordn) 

> 

X addraas rapraaantation of a word X 
('addraas', ":(awordn-> aaddraas) 



X Subranging functions X 

X opcode portion of word X 

(* opcode * , 11 : ( *wordn-> (bool tbool#bool#booltboolf bool ) )”) 

X destination portion of word X 
( *dest * , 11 : (ewordn -> ereg.len) 

* 

X source A portion of word X 
(‘area*, (ewordn -> ereg.len) 

X source B portion of word X 
C»rcb', " : (*wordn -> *r«g_l*n) 

> 

X t*1u* oi r#g_l«n X 

(‘r*g_l«n\ (*r*g_l«n -> nu*) > 

f 

X j m ediate portion of word X 
u : (ewordn -> ewordn) 


X Subranging functions for the Program Status Word X 
X interrupt enable bit in word X 
(«g«t_ie*, ":(*wordn -> bool) 

i 

X supervisory node bit in word X 
(*g 0 t^sn f f (ewordn -> bool) 

X carry bit in word X 
(‘get_cf ‘ , 11 : (*wordn -> bool) 

» 

X overflow bit in word X 
(*get_vf ( , (ewordn -> bool) 

» 

X zero bit in word X 
(*get_zf*, " : (ewordn -> bool) 

> 

X neg bit in word X 
(*gwt_nf*, " : (ewordn -> bool) 


X create psw X 

( ( ek psw * , M : ( (bool#bool#bool#boolfbool#bool) 


-> ewordn)") 


X Memory functions X 

X fetch a word from memory X 
( *f etch* , " : (ememory t eaddress) -> ewordn 


X store a word in memory X 

(* store*, (ememory • eaddress # ewordn) -> ememory ) 


X transmute memory X 
( *trans * , ememory -> ememory 


X Interrupt instructions X 

( 4 iixt trans*, 11 : ewordn ewordn 



(‘iat.foteV , " :»wordn -> *wordn 


") 


let rep_ty - ebe tract .type 'eux.def' ‘opcode' ;; 
cloee_theory() ; ; 
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3.3 Auxiliary Files 


The suction present, several auxiliary theories that are used throughout the specification and verifiers- 
tion of AVM-1 • 


3.3. 1 Auxiliary Theorems 

The section presents the ML code that creates the theory aux.thms.th. 


% 


Fil*: mk.aux.ml 

Author: (c) P. J. Vindley 1990 

Date: 15 90 

Modified: 

Description: 

Prove auxilliary theorems used in subsequent proofs. 

% 


set .sear ch.path (search.pathO • 


[‘ /muztag/ho*e/windley/hol/tactics/‘ ; 
* /nuxtag/home/wmdley/hol/ml/ * 

]);; 


let Library .Root « ‘/muztag/home/vindley/hol/Libraxy/* ; ; 


set _sear ch.path 

(search.pathO • 

(map (concat Library .Root) 

[‘tuple/* ; ‘decimal/*; 'assoc/']));; 


system */bin/rm aux.thms.th*;; 
me* .theory * aux.thms * ; ; 
loadf ‘tuple*;; 



Auxilliary list definitions and theorems 


let SET.EL.DEF » nes.prim.rec 
( * SET.EL.DEF * . 

“(SET.EL 0 (1st : (*)list) 
(SET.EL (SUC n) 1st x « 


_def inition 

x - (C01S x (TL 1st))) /\ 

(COBS (HD 1st) (SET.EL n (TL 1st) x))) 
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l«t SET.EL * proT«_th» 

( ' SET .EL ' , 

*'! h t x . 

(SET.EL 0 (COES h t) x - (COBS x t)) /\ 

(SET.EL (SUC n) (COES h t) x » (COBS h (SET.EL a t x)))’\ 
REPEAT GEE.TAC 

THEE REWRITE.TAC [SET.EL DEF;HD;TL] 

);; 

let EL.SET.EL ■ prove _thn 
CEL.SET.EL', 

"! x n 1st . EL n (SET.EL n 1st x) - x". 

GEE.TAC 

THEE IBDUCT.TAC 

THEE REWRITE.TAC [SET.EL.DEF ; EL ; COES ; TL ; HD] 

THEE LIST.IEDUCT.TAC 
THEEL [ 

POP.ASSUH (\x. ASSUME.TAC (SPEC ”TL[] : (*)list" x)) 

» 

ALL.TAC 

] 

THEE ASM.REWRITE.TAC [TL] 




Auxilliary boolean definitions and theorens 

% 

let xor “ ne»_inf ir .definition 
('xor' , 

"! a b . xor$ a b - (a /\ *b) \/ (*a /\ b)" 

);; 




Define addition of a nuaber with a bt6 value 



let add_bt6 ■ nes.def inition 
(‘add_bt6‘ , 

•'! x y . 
add_bt6 x y m 

bt6_ival ((bt6_ral x) + y)" 

);; 

let OFFSET - "4";; 

let PLUS.4.LENMA - TAC PROOF 

((□. 

" !x.x+* OFFSET - (SUC (SUC (SUC (SUC x))))"). 

COEV.TAC (TOP .DEPTH. CO EV nun.COEV) 

THEE REWRITE.TAC [ADD CLAUSES] 

);; 


X 

Sone other nice conversions 
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let ia_SID_ter» t * 
if is.coab t then 

f »t (deat_const (1st (strip.conb t) ) ) ■ ‘SHD‘ 

else 

falae; ; 

let SID.COIV t - 

if ia_SID_ter» t then 

l#t op,pr * de«t_co*b t in 

let op, [tl ; t2] - atrip. comb pr in 

SPECL [tl;t2] ( 

IIST.TTPE [((type.of tl),":*"); 

((type_of t2), M s** ,, )3 SHD) 

•Iso 

failwith 1 SHD_C0HV 1 ; ; 

let inv_nu»_COITV n * ( 

let x,y * dest.conb n in 

lot y_inc * int_to_tena ( (tern_to_int y) + 1) in 
if not (x - "SUC") then fail else 
SYM.RULE (num.CONV y.inc)) 

? failvith * inv.nun_CONV‘ ; ; 


•X 


% 

Prove that the table lookup doesn’t end up at the beginning of ROM 

OFFSET JTOT.BEGIHNING « |- !b. ~ (add_bt6(F,SHD b)4 * F,F,F,F,F,F) 

Run t i*e : 1110.9s 

Intermediate theorems generated: 32451 


let OFFSET.IOT.BEGIIIIIG - TAC.PROOF 

((□. 

••! b:bt6.'(add_bt6(F,SID b) "OFFSET - F,F,F,F,F,F) ) , 

GEI.TAC x 

THEI STRUCT.CASES.TAC (SPEC.ALL SIX.TUPLE.VALUE.LEMMA) 
THEM PURE.OICE.REWRITE.TAC [add.btfi] 

THEI COIV.TAC (OICE.DEPTH.COIV SID.COIV) 

THEI COIV.TAC (OICE.DEPTH.COIV bt6.yal.C0IV) 

THEI PURE.OI CE.REtfRITE.TAC [PLUS.4.LEMHA] 

THEI COIV.TAC (TOP.DEPTH.COIV inv.nun.COIV) 

THEI COIvItAC (OICE.DEPTH.COIV bt6.ival.C0IV) 

THEI REVRITE.TAC [PAIR.EQ] 


•ave_thn(‘ OFFSET .IOT.BEGIIIIIG ‘ .OFFSET.IOT.BEGIIIIIG) j ; 


eloae.theory ( ) ; ; 
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S.S.2 The Jump Condition 


The section presents the ML code that creates the theory jumpjdef .th. 

X 

File: def.jump.nl 

Author: (c) P. J. Vindley 1990 

Date: 9 APR 90 

Modified; 

Description: 

Defines the function used to describe the jump unit in the 
EBM and to describe jump condition selection in the 
other levels. 


% 

set.search.path (search. path( ) C [ 4 /nuztag/home/windley/hol/tactics/ 4 ; 

* /nuztag/hone/windley/hol/nl/ 4 ; 

3 );; 


let Library .Root « 4 /nuztag/hone/windley/hol/Library/ 4 ; ; 

set.search.path 

(search. pathO 9 

(aap (concat Library.Root) 

[ c tuple/ 4 ; 'decimal/ 1 ] ) ) ; ; 

loadf 4 abstract 4 ; ; 

system 4 /bin/r» jump.def . th 4 ; ; 

new.theory 1 jump.def 4 ; ; 

map new. parent [ 4 auz.def 4 ; 4 aux.thms 4 ] ; ; 

let rep.ty * abstract.type 4 aux.def 4 'get.sn 4 ;; 


X 

This definition is used in the jump instruction. 

let JUMP. CO ID » new.def inition 
( 4 JUMP.CWD 4 , 


l . JUMP.COID (rep: ‘rep.ty ) d psw 

let cf ■ 

(get.cf 

rep 

psw) 

and 

▼f - 

(get.vf 

rep 

psw) 

and 

nf * 

(g«t.nf 

rep 

psw) 

and 

sf - 

(get.zf 

rep 

psw) 

in ( 
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(d - 

(d - 

(d * 
(d - 
(d * 
(d - 
(d - 
(d - 
(d - 
(d - 
(d - 
(d - 
(d * 
(d - 




0) «> cl 

1) »> ' Cl 

2) -> vl 

3) *> * 

4) -> n 1 
6) -> * nl 

6) *> zl 

7) -> " zl 

8) •> ('cl \/ zt) 

9 ) «> ~(*c 1 \/ zl) 

10) ■> (nl xor ri) 

11) *> * (nl xor ▼!) 

12) *> '((nl xor t!) \/ zl) I 

13) *> ((nl xor rt) \/ zl) 


X carry X 

X higher or aa ne (unsigned) X 
X no carry X 
X lower (unsigned) X 
X oYerllow X 
X no orerllow X 
X negative X 
X positive X 
X equal X 
X not equal X 

X lower or ease (unsigned) X 
X higher (unsigned) X 
X leas than (signed) X 
X greater or equal (signed) X 
X greater than (signed) X 
I X greater or equal (signed) 
X always X 


X 


close.theoryO ; ; 



8*3.3 The Register File 

The section presents the ML code that creates the theory regs-def .th. 




File: 
Author : 
Da to: 
Modified: 


def .regs .Ml 

(c) P. J. Vindley 1990 

18 JAI 90 

10 FEB 90 


Description: 

Defines functions for selecting registers in the register file. 
These functions are used in many of the specifications. 


% 

set.search.path (search.pathQ C [ Vmuztag/home/windley/hol/tactics/ ' ; 

' / muz t ag/home/w indl ey /hol/ml/ ‘ ; 

]);; 


let Library .Root - Vmuztag/home/windley/hol/Library/ ‘ ; 

set.search.path 

(search.pathO A 

(nap (concat Library. Root) 

[ f tuple/ * ; 'decimal / ) ) ; ; 


loadf * abstract ' ; ; 

system * /bin/m regs.de f . th * ; ; 

nev.theory ‘regs.def 1 ; ; 

map new.parent [ c aux.def * ; * aux. thms ' ] ; ; 

let rep.ty - abstract. type 'aux.def* ‘get.sm*;; 

X 

Special names for some of the registers in register file, 
lo magic numbers here! 

Is* *sro_reg ■ nev.def inition ( 'zero.reg 1 /'zero .reg * 0”);; 

let ZERO .REG - nev.def inition 
<*ZERQ_REG\ 

reg.list: (ewordn)list . ZERO .REG reg.list - (EL zero reg reg list)** 
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Supervisor registers ere from 1 7 

lrt IS.SUP.REG - now .definition 
( * IS.SUP.REG' , 

«i n . IS. SUP. REG n - (0 < n) /\ (n < 8) 

);; 

X.t ssp.reg - new.deiinition C.ip.r.g', 1, i*P-X»8 “ 1 “ >5! 



X*t SSP.REG » new.definition 

(‘SSP.REG* . 

" j x *g_list: (*wordn)list 

);; 


SSP.REG reg.list * (EL ssp.reg reg.li**) 


X 

UPDATE REGISTER LIST 


l*t UPDATE.REG « new.del inition 

P»- n (r.g.Ii.t:(*.ordn)li.t) value . 
UPDATE.REG rep psw n reg.list value 
let an - (get.sm rep paw) in 
(n - zero.reg) »> reg.list I 

(IS SUP. REG n /\ “'em) “> reg.list I 

fc.vr ft. n res list value) 


close.theoryO ; ; 


3.4 The Electronic Block Model 

This section presents the theories that define the electronic block model. 


3.4.1 A 16 Input Multiplexor 

The section presents the ML code that creates the theory muxl6_def ,th. 


X 


Pi le: 
Author : 
Date : 
Modified: 


def.auxl6 .ml 

(c) P. J. Vindley 1989, 1990 
29 DEC 89 
13 JAN 90 


Description: 

Delines a 16 input MUX used in subsequent specifications. 


set.search.path (search_path() C [ Vauztag/hoae/windley/hol/tactics/ * ; 

Vauztag/hoae/eindley/hol/al /‘ ; 

]);; 


let Library .Root - Vauztag/hoae/eindley /hoi /Library/ ‘ ; ; 

iet.search.path 

(search.pathO C 

(aap (concat Library Root) 

□ ));; 


systea ‘/bin/ra auxl6.de* .th‘ ; ; 

new.theory ‘auxl6.de* 1 ; ; 

let aux_16.de* * nev.de* inition 
( 'HUX_16_DEF‘ , 

< b0 bl b2 b3 M b6 b6 b7 b8 b9 blO bll bl2 bl3 bl4 b!6:e) 
select result . 

KDX.16 (b0 ( bl ,b2,b3 ,b4 f b5,b6,b7 t b8,b9,bl0,bll ,M2 # bl3 f bl4,bl5) 
select result ■ 

((result * 

(s.l.ct * (F,F,F,F) ) ■> bo | 

(s.l.ct - (F.F.F.T)) -> bl | 

(s.l.ct - (F.F.T.F)) -> b2 I 
(s.l.ct » (P,F,T,T)) -> b3 | 
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) 

l*t 

( 


(••l«ct * (F,T,F,F)) “> b4 I 

* (F,T,F,T)) “> bS I 

(••l*ct - (F.T.T.F)) -> b6 I 

- (F.T.T.T)) ■> b7 | 

- (T.F.F.F)) -> b8 I 

- (T.F.F.T)) -> b9 I 

- (T.F.T.F)) -> blO I 

- (T.F.T.T)) -> bll I 

(••l*ct - (T.T.F.F)) -> bl2 I 

(■•last - (T.T.F.T)) -> bl3 I 

(••l*ct - (T.T.T.F)) -> bl4 I 

blS ))" 


»ux_16_*pplic*tion m prov*_thm 

•• • (bo bl b2 b3 b4 bS b6 b7 b8 b9 blO bll bl2 bl3 bl4 bl6 r:») . 

((MUX-16 (bO ,bl ,b2,b3,b4,b5,b6,b7 ,b8,b9,bl0,bll,bl2,bl3,bl4,bl5) 
(F.F.F.F) r) * (r * bO)) /\ 

((MUX-16 (bO.bl ,b2,b3,b4,bS,b6,b7 ,b8,b9,blO,bll,bl2,bl3,bl4,blB) 
(F.F.F.T) r) - (r “ bl)) /\ 

((MUX-16 (b0,bl,b2,b3,b4,b5,b6,b7 ,b8,b9,bl6,bll,bl2,bl3,bl4 > blB) 
(F.F.T.F) r) « (r - b2)) /\ 

((MUX-16 (bO.bl p b2,b3,b4,bB,b6,b7 ,b8,b9,blO,bll,bl2,bl3,bl4,blB) 
(F.F.T.T) r) ■ (r * b3)) /\ 

((MUX-16 (bO.bl ,b2,b3,b4,bB,b6,b7 t b8,b9,blO,bll,bl2,bl3,bl4,bl6) 
(F.T.F.F) r) * (r ■ b4) ) /\ 

((MUX-16 (bO,bl,b2,b3 1 b4,bB,b6,b7 ,b8,b9,blO,bll,bl2,bl3,bl4,blS) 
(F.T.F.T) r) * (r • bB)) /\ 

((MUX-16 (bO,bl,b2,b3,b4,bS,b6,b7 ,b8,b9,bl0 ,bl 1 t bl2,bl3,bl4,blB) 
(F.T.T.F) r) « (r » b6)) /\ 

((MUX-16 (bO,bl,b2,b3,b4,bS,b6,b7 ,b8,b9,blO,bll,bl2,bl3,bl4,blB) 
(F.T.T.T) r) ■ (r ■ b7) ) /\ 

((MUX-16 (bO.bl, b2,b3,b4,bB,b6,b7 ,b8,b9,blO,bll,bl2,bl3,bl4,bl6) 
(T.F.F.F) r) ■ (r - b8)) /\ 

((MUX-16 (bO,bl,b2,b3,b4,bS,b6,b7 ,b8,b9,blO,bll,bl2,bl3,bl4,blB) 
(T.F.F.T) r) - (r - b9)) /\ 

((MUX-16 (bO,bl,b2,b3,b4,bB,b6,b7,b8,b9,blO,bll,bl2,bl3,bl4,blB) 

(T.F.T.F) r) - (r - blO)) /\ 

((MUX-16 (bO.bl, b2,b3,b4,bS,b6,b7 t b8,b9,blO,bll,bl2.bl3,bl4,blB) 
(T.F.T.T) r) - (r « bll)) /\ 

( (MUX-16 (bO ,bl ,b2 ,b3 ,b4 ,bB ,b6 ,b7 ,b8 ,b9 ,blO ,bl 1 ,bl2 ,bl3 ,bl4 ,bl6) 
(T.T.F.F) r) ■ (r - bl2)) /\ 

((MUX-16 (bO.bl ,b2,b3,b4,bE,b6,b7 ,b8,b9,blO,bll,bl2,bl3,bl4,blB) 
(T.T.F.T) r) - (r - bl3)) /\ 

((MUX-16 (bO.bl, b2,b3,b4,bB,b6,b7 ,b8,b9,blO,bll,bl2,bl3,bl4,blS) 
(T.T.T.F) r) - (r - bl4)) /\ 

((MUX-16 (bO,bl,b2,b3,b4,bB,b6,b7 ,b8,b9,blO,bll,bl2,bl3,bl4,blB) 
(T.T.T.T) r) - (r - blB))”, 

REHRITE-T1C Diux_16-d*f ;PAIR.EQ] 

);; 


clo»*_theory() ; ; 



3.4. 2 A Generic ALU 


The section presents the ML code that creates the theory gen.alu.th. 
X 

File: mk.gen.alu .ml 

Author: (c) P. J. Hindley 1989, 1990 

Data: 29 DEC 89 

Modified: 13 JAN 90 

Deacript ion : 

Defines a ganaric ALU used in subsequent specifications. Tha 
theory contains a ganaric proof. 

% 


aet.aearch.path (search.pathQ C ['/muztag/home/windley/hol/tactics/' ; 

' /muztag/hone/tindley/hol/nl/ ' ; 

3 );; 

lat Library .Root * ‘ /muztag/homa/vindlay/hol/Library/' ; ; 

sat .search. path 

(aaarch.pathO C 

(map (concat Library. Root ) 

['tuple/'; 'decimal/']));; 


load! 'abstract' ; ; 

ayatam ' /bin/rm gan.alu . th ' ; ; 

new. theory 'gan.alu' ; ; 

map load.parent [' tuple '; 'mux 16 _def ']; ; 

X 

Ganaric spacif ication 

X 

lat alu.aba * new .abstract .represent at ion 

[ 

('funcO' *inputs->e out put ->*f lags- >bool") 

* 

( 'fund ' *inputs->*output->*flags->boor') 

* 

( ' f unc2 ' „ ” : *inputa->*output->ef laga“>bool" ) 
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( ‘func3 4 , M : ♦ input s->*out put ->**lags->bool") 
( 4 lunc4 4 , M :*inputs->*output“>*flags->bool ) 

( 4 t uncB 1 , " : * input s->*output->of lags->bool" ) 

( 4 f unc6 V' : ♦inputs->*eutput->*f lags->bool" ) 

( • lunc7 4 ," : ♦input s->*out put ->♦* lags->bool" ) 

( 4 func8 4 ♦input s->*output->*flags->bool ) 
( 4 func9 4 ,*':♦ input s->aoutput->*f lags ->bool ) 
( 4 funcl0‘ :♦ inputs ->*output->*ilags->bool ) 
( 4 funcll‘ :*inputs->*output->*llags->bool ) 

( 4 funcl2 4 /' :*inputs->ooutput->*flags->bool") 
( 4 funcl3 4 :* input s->* out put ->*f lags- >bool ) 

( 4 *uncl4 4 , *' : ♦inputs ->*output- >*flags->bool H ) 
( 4 funcl6 4 ♦inputs ->*output->*l lags- >bool ) 

( 4 nodul«0 4 input s->*output->*flags->bool ) 

(‘aodulal 1 , w : ♦input s->*output->*flags->bool ) 

( ‘nodul«2 4 ,°: * input s->*output->*flags->bool ) 

( 4 modulo 3 4 , " :♦ input s-> ♦output ->*flags->bool M ) 
(‘®odul«4 4 , " : ♦input s->*output->*flags->bool ) 

( 4 modulo5 V’: ♦ input s->^ output ->♦* lags ->bool" ) 
( 4 modulo6 4 ,":♦ input s ->♦ out put ->*f lags ->bool ) 
(*aodula7 4 /':♦ input s->*output->*flags->boor') 

( 4 modul«8 4 # M : ♦ input s->*out put ->*flags->bool”) 

( 4 modular 4 /* : ♦ input s-> ♦ output ->aflags->bool") 

( 4 »odul#10 4 /*:♦ input s->* out put- >*flags->bool ) 

( ‘aodulal 1‘ : ♦inputs->*output->*flags->bool 4 > 
( 4 *odulal2 4 , " : *inputs->*output->*f lags->bool") 
( 4 modulol3 4 :*inputs->*output->*flags->bool") 
( 4 modulel4 4 :ainputs->*output->^f lags->bool ,f ) 
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( ‘modulalB * *inputs->*output->*f lags->bool") 

355 

aaka.inst.thns alu.abs;; 

1st alu_rap_ty * abstract.typa ‘gan.alu 1 'funcO';; 

1st duaay_op_daf * naw.daf inition 

(‘Duwnr.op', 

M DUHMT_0P - ix : on# . F" 

);; 

1st alu.spac.daf » nsw.dsf inition 

( ‘ ALU_SPEC_DEF * , 

**! (rap: *alu_rap_ty) switch inputs output flags . 
ALU_SPEC rap switch inputs output flags « 
((switch - (F,F,F,F)) -> ( 

(funcO rap) inputs output flags) I 
(switch - (F,F,F,T)) -> ( 

(fund rap) inputs output flags) | 

(switch * (F, F,T,F) ) *> ( 

(func2 rap) inputs output flags) I 
(switch - (F,F,T,T>) *> ( 

(func3 rap) inputs output flags) I 
(switch - (F,T,F,F)) •> ( 

(func4 rap) inputs output flags) I 
(switch « (F,T,F,T) ) -> ( 

(funcS rap) inputs output flags) | 

(switch « (F,T,T,F) ) *> ( 

(func6 rap) inputs output flags) 1 
(switch - (F,T,T,T) ) «> ( 

(func7 rap) inputs output flags) I 
(switch * (T,F,F,F)) •> ( 

(funcS rap) inputs output flags) ( 

(switch - (T.F.F.T)) «> ( 

(func9 rap) inputs output flags) I 
(switch « (T,F,T f F) ) -> ( 

(funclO rap) inputs output flags) I 
(switch - (T.F.T.T)) -> ( 

(funcll rap) inputs output flags) I 
(switch « (T.T.F.F)) ■> ( 

(fund 2 rap) inputs output flags) I 
(switch - (T.T.F.T)) »> ( 

(fund 3 rap) inputs output flags) I 
(switch - (T,T,T,F)) -> ( 

(funcl4 rap) inputs output flags) | 

X dafault % 

(funclS rap) inputs output flags)" 

);; 

lat ALU_SPEC * prowa.tha 
(‘ALU.SPEC' , 

"! (rap:“alu_rap.ty) inputs output flags . 

(ALU_SPEC rap (F.F^F.F) inputs output flags » 
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(funcO rap) inputs output Hags) /\ 
(ALU.SPEC rap (F,F,F f T) inputs output flags - 
(fund rap) inputs output flags) /\ 
(ALU.SPEC rap (F.F.T.F) inputs output flags « 
(func2 rap) inputs output flags) /\ 
(ALU.SPEC rap (F,F,T,T) inputs output flags - 
(func3 rap) inputs output flags) /\ 
(ALU.SPEC rap (F,T,F,F) inputs output flags - 
(func4 rap) inputs output flags) /\ 
(ALU.SPEC rap (F,T,F,T) inputs output flags - 
(funcS rap) inputs output flags) /\ 
(ALU.SPEC rap (F»T,T,F) inputs output flags « 
(func6 rap) inputs output flags) /\ 
(ALU.SPEC rap (F,T,T,T) inputs output flags - 
(func7 rap) inputs output flags) A 
(ALU.SPEC rap (T f F,F,F) inputs output flags * 
(func8 rap) inputs output flags) A 
(ALU.SPEC rap (T,F,F,T) inputs output flags - 
(func9 rap) inputs output flags) A 
(ALU.SPEC rap (T.F.T.F) inputs output flags * 
(funclO rap) inputs output flags) A 
(ALU.SPEC rap (T, F,T,T) inputs output flags - 
(fundi rap) inputs output flags) A 
(ALU.SPEC rap (T ,T ,F*F) inputs output flags * 
(fund 2 rap) inputs output flags) A 
(ALU.SPEC rap (T,T,F,T) inputs output flags - 
(funcl3 rap) inputs output flags) A 
(ALU.SPEC rap (T,T,T,F) inputs output flags * 
(funcl4 rap) inputs output flags) /\ 
(ALU.SPEC rap (T,T,T,T) inputs output flags * 
(funclS rap) inputs output flags) ", 
REVRITE.TAC [alu.spac.daf ;PAIR_EQ] 

);; 


% 

Ganaric inplanantation 


lat alu.inp.daf ■ naw.daf inition 
(* ALU. IMP* , 

«»i (r#p: *alu.rap_ty) switch inputs output flags . 

ALU.IMP rap switch inputs output flags * 
a r 0 fO rl fi r2 f2 r3 f3 r4 f4 r5 f5 r6 f6 r7 f7 
’ r8 18 r9 19 rlO 110 rll 111 xl2 112 rl3 113 rl4 114 rlE 116 
(((nodulaO rap) inputs rO fO) A 
((■odulal rap) inputs rl fl) /\ 

( (nodula2 rap) inputs r2 f2) /\ 

( (»odula3 rap) inputs r3 f3) /\ 

((nodula4 rap) inputs r4 f4) A 
( (wodulaS rap) inputs rB fS) /\ 

((»odula6 rap) inputs r6 f6) /\ 

( (»odula7 rap) inputs r7 f7) /\ 

((■odula8 rap) inputs r8 f8) A 
((nodula9 rap) inputs r9 f9) /\ 

( (aodulalO rap) inputs rlO flO) A 


((■odulall rap) inputs rll <11) /\ 

((*odulal2 rap) inputs rl2 <12) /\ 

((*odulal3 rap) inputs rl3 <13) /\ 

((»odulal4 rap) inputs r!4 <14) /\ 

((■odulalS rap) inputs rl5 <16) /\ 

(HUX.16 (rO,rl f r2,r3 t r4 f rS,r6 f r7 ,r8,r9,rl0,rll t rl2,rl3,rl4,rl5) 
switch output) /\ 

(KUX.16 (10, 11, <2*13, <4, 16, <6 ,<7 ,18,19 ,f 10,1 11 ,112,1 13,1 14,11$) 
switch Hags) ) " 

); ; 

naw_thaory_obl igat ions 

[ 

"! inputs output llags. 

(■odulaO (rap: *alu_rap_ty) inputs output flags)**> 

(luncO rap inputs output flags) 11 ; 

"! inputs output llags. 

(aodulal (rap: ~alu_rap_ty) inputs output flags)**> 

(fund rap inputs output llags)"; 

"{inputs output 1 lags. 

(nodula2 (rap: ~alu_rap_ty) inputs output flags)**> 

(lunc 2 rap inputs output llags)"; 

"•inputs output flags. 

(aodula3 (rap : ~alu_rap_ty) inputs output flags )**> 

(lunc3 rap inputs output Hags)"; 

"tinputs output llags. 

(■odula4 (rap: ~alu_rap_ty) inputs output flags)«> 

(lunc4 rap inputs output flags)"; 

"{inputs output llags. 

(nodulaS (rap: *alu_rap_ty) inputs output flags)**> 

(lunc5 rap inputs output flags)"; 

"{inputs output llags. 

(■odula6 (rap: ~alu_rap_ty) inputs output flags)««> 

(func6 rap inputs output Hags)"; 

"•inputs output llags. 

(»odula7 (rap: ~alu_rap_ty) inputs output flags)*«> 

(func 7 rap inputs output Hags)"; 

"{inputs output llags. 

(■odula8 (rap : ~alu_rap_ty) inputs output flags)»*> 

(func8 rap inputs output flags)"; 

"{inputs output llags. 

(aodula9 (rap; "alu_rap_ty) inputs output flags)“> 

(func 9 rap inputs output flags)"; 

"{inputs output llags. 

(nodulalO (rap: *alu_rap_ty) inputs output flaga)“> 

(lunc 10 rap inputs output flags)"; 

"•inputs output Hags. 

(■odulall (rap : ~alu_rap_ty ) inputs output flags)**> 

(lunc 11 rap inputs output flags)"; 

"{inputs output llags. 

(nodulal2 (rap: “alu_rap_ty) inputs output flags)**> 

(lunc 12 rap inputs output flags)"; 

"{inputs output llags. 

(aodulal3 (rap: ~alu_rap_ty) inputs output flags)“> 

(lunc 13 rap inputs output Hags)"; 


48 



"! input* output flags. 

(»odulal4 (rap: 'alu.rap.ty) inputs output flags)— > 
(funcl4 rap inputs output flags)"; 

"! inputs output flags. 

(■odulalB (rap: ‘alu.rap.ty ) inputs output flags)— > 
(fund 6 rap inputs output flags)"; 


I- !r * p rap switch in.A in.B cin output nag *aro 
ovf 1 carry. 

ALU. IMP 

rap 

switch 

(in. A, in.B, cin) 
output 

(nag, zaro.ovfl, carry) — > 

ALU.SPEC 

rap 

switch 

(in. A, in.B, cin) 
output 

(nag, zaro, ovf 1, carry) 

Run ti*a: 1081.2s 

Intaraadiata thaoraas ganaratad: €7847 


prova.tha 

( ‘ALU.CORRECT* , 

"! switch inputs output flags . 

ALU. IMP rap switch 

inputs output flags=*> 

ALU.SPEC rap switch 

inputs output flags", 

REPEAT GEH.TAC 

THE* OBCE.REVRITE.TAC [alu.inp.daf] 

THE* STRUCT.CASES.TAC 

(SPEC "switch :bool#bool#boolibool" FOUR.TUPLE.VALUE.LEMU) 
THE* 0*CE_REtfRITE_TAC [ALU.SPEC; MUX.16] 

THE* REPEAT STRIP.TAC 

THE* RES.TAC 

THE* ASM.REtfRITE.TAC [] 

);; 


elosa.thaoryO ; ; 


S.4.S The Arithmetic Logic Unit 


The section presents the ML code that creates the theory alu.def.th. 

X 

Fila: 

Author: (c) P. J. Vindlay 1989, 1990 

Data: 29 DEC 89 

Modifiad: 13 JAM 90 

Dascription: 

Dafinaa a ALU uaad in aubaaquant apacif icationa uaing 
ganaric oparatora froa tha auxilliary dafinitiona thaory 
and a ganaric ALU frost tha thaory of ganaric alu's. 


1 

sat.saarch.path (saarch.pathO t C 1 /iuzt ag/hona /vindlay /hol/t act ics/‘ ; 

* /ftuztag/ho»a/windlay/hol/ml/ * ; 

]);; 

lat Library.Root * r /ftuztag/ho»a/windlay/hol/Library/‘ ; ; 

aat.saarch.path 

(saarch.pathO C 

(aap (concat Library.Root) 

[‘tupla/ 4 ; ‘dacimal/ *] ) ) ; ; 

ayataa ‘/bin/ra alu.daf . th' ; ; 

naw.thaory 4 alu.daf * ; ; 

loadf * abstract ‘ ; ; 

map naw.parant ['aux.daf 4 gan.alu‘] ; ; 

lat rap.ty ■ abstract. typa 'aux.daf* ‘opcoda 4 ;; 

lat add.without .carry _daf * naw.daf inition 
( 4 ADD.WITHOUT.CARRY * , 

n ! (rap: "rap.ty) in.A in.B (cin:bool) out nag zaro orfl carry . 
ADD. WITHOUT .CARRY rap (in.A, in.B, c in) out (nag, zaro»OTfl, carry) * 
lat rasult ■ (add rap) (in.A, in.B) in 
lat c » (addp rap) ( in. A, in.B, r a suit ) and 
n * (nagp rap) rasult and 
z » (zarop rap) rasult and 
t * (aovfl rap) (in.A, in.B, rasult ) in 
((out « rasult) A (nag * n) A (zaro * z) A 
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(oTfl - v) /\ (carry - c)) 




lat add.with.earry.del - now.dol inition 
(‘ADD WITH.CARRY' , 

»i (rop:*rop_ty) in.A in.B cin out nog zoro ot*1 carry . 

ADD.WITH.CARRY rop (in.A.in.B.cin) out (nog, zoro, ovll, carry) 
lat roault - (addc rop) (in.A.in.B.cin) in 
l,t c - (addcp rop) (in.A. in.B, roault) and 
n « (nogp rop) roault and 
z ■ (zorop rop) roault and 
T - (aovfl rop) ( in.A, in.B, roault) in 
((out - roault) A (nog - n) A (zoro - z) /\ 

(ovil » v) A (carry - c))“ 

);; 


lot incronont.de f * neo.definition 

( ‘ INCREMENT ‘ , 

•• i (rop:*rop_ty) in.A in.B cin out nog zoro ovll carry . 

IWCREMEHT rop (in.A . in.B , cin) out (nog, zoro, ovil, carry) - 
lot roault « (inc rop) in.A in 

lot c « (addp rop) (in.A. (wordn rop) 0, roault) and 
n * (nogp rop) roault and 
z ■= (zorop rop) roault and 
v ■ F in 

((out - roault) A (nog - n) A (z«o - z) A 
(ovfl » v) A (carry * c))" 

);; 


lot aub.without.carry.dol “ new.def inition 
(‘SUB WITHOUT.CARRY ‘ , 

... (rop: "rop.ty) in.A in.B cin out nog zoro ovfl ciry . 

SUB .WITHOUT .CARRY rop (in.A.in.B.cin) out (nog, zoro, o .carry 

lot roault « (aub rop) (in.A, in.B) in 
lot c “ (aubp rop) (in.A, in.B, roault) and 
n - (nogp rop) roault and 
z * (zorop rop) roault and 
T • (aovll rop) (in.A, in.B. roault) in 
((out - roault) A (nog - n) A (zoro ■ z) /\ 

(oTfl - t) A (carry - c))“ 

);; 


lot aub.with.carry.doi » noa.dof inition 
(‘SUB .WITH. CARRY' , 

(rop: ‘rop.ty) in.A in.B cin out nog zoro orfl carry . 

SUB.WITH.CARRY rop (in.A.in.B.cin) out (nog, zoro, o .carry 

lot roault ■ (aube rop) (in.A, in.B, cin) in 
lot c ■ (aubp rop) (in. A, in.B .roault) and 
n - (nogp rop) roault and 
z - (zorop rop) roault and 
t - (aorfl rop) (in.A, in.B, roault) in 
((out - roault) A (nog - n) A (zoro - z) A 
(ovll - t) A (carry - c))“ 
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lot docroaont.dof ■ no w.dof inition 
(‘DECREMENT 1 , 


w ! (rop : ~rop.ty) in.A in.B cin out nog zoro ovil carry . 
DECREXEffT rop (in.A, in.B, cin) out (nog ,zoro,OY21, carry) * 
lot rosult ■ (doc rop) in.A in 

lot c * (tubp rop) (in.A, (wordn rop) 0, rosult) and 
n - (nogp rop) rosult and 
z * (zorop rop) rosult and 
▼ * F in 

((out - rosult) A (nog * n) A (zoro ■ z) A 
(ovll ■ v ) A (carry - c))" 


lot bitwiso.and.doi ■ now.dof inition 
(‘BITWISE. AID*, 


" ! (rop : ~rop_ty) in.A in.B cin out nog zoro ovfl carry . 

BITWISE.AHD rop (in. A, in.B, cin) out (nog, zoro ,ovil .carry) 
lot rosult ■ (band rop) (in.A, in.B) in 
lot c * F and 

n * (nogp rop) rosult and 
z ■ (zorop rop) rosult and 
v » F in 

((out * rosult) A (nog * n) A (zoro » z) A 
(orfl * y) A (carry * c))" 


);; 


lot bitwiso.xor.dof * now. del inition 
( ‘BITWISE.XOR* , 


*' * (rop: *rop.ty) in.A in.B cin out nog zoro ovfl carry . 

BITVISE.XOR rop (in. A, in.B, cin) out (nog, zoro, ovfl, carry) 
lot rosult « (bxor rop) (in.A, in.B) in 
lot c ■ F and 

n * (nogp rop) rosult and 
z - (zorop rop) rosult and 
t * F in 

((out ■ rosult) A (nog * n) A (zoro ■ z) A 
(ovfl ■ v) A (carry ■ c))” 


);; 


lot bitwiso.or.dof » now.dof inition 
(‘BITWISE.OR* , 

H ! (rop: *rop.ty) in.A in.B cin out nog zoro ovfl carry . 

BITWISE.OR rop (in.A, in.B, cin) out (nog, zoro, ovfl, carry) * 
lot rosult ■ (bor rop) (in.A, in.B) in 
lot c ■ F and 

n * (nogp rop) rosult and 
z ■ (zorop rop) rosult and 
y * F in 

((out - rosult) A (nog - n) A (zoro » z) A 
(ovfl * y) A (carry ■ c)V* 


lot bitviso.not.dof * nov.dof inition 
( ‘BITWISE .I0T\ 
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••! (rap^rap.ty) in.A in.B cin out nag zaro ov*l carry . 
BITVISE.IOT rap (in.A, in.B, cin) out (nog, zaro.orfl, carry) 
lat rasult m (bnot rap) in.A in 
lat c * F and 

n - (nagp rap) raault and 
z - (zarop rap) raault and 

t * F in 

((out - raault) /\ (nag - n) /\ (**ro - z) A 
(owfl - v) A (carry - c))" 

);; 


alu.noop.daf * naw.daf imtion 

(‘ALU.IOOP', 

•>! (rap: "rap.ty) in.A in.B cin out nag zaro owfl carry . 
ALU BOOP rap (in.A, in.B, cin) out (nag, zaro.owil, carry 
((out - in.A) A (nag - ((nagp rap) in.A)) A 

(zaro * ((zarop rap) in.A)) A 
(ovfl - F) A (carry - F))" 

);; 


lat dunny.nodula.daf “ naw.daf inition 
(‘DUMMY.MODULE.DEF 1 . 

" ! (rap: "rap.ty) (in.A in.B out:*wordn) (cm nag zaro owfl 
DUMMY .MODULE.DEF rap (in.A, in.B .cin) out (nag, zaro, ovil. carry ) 

);; 


lat alu.spac.daf * naw.daf inition 

(‘MAC2 ALU SPEC.DEF 1 , . , v 

(rap: "rap ty) switch in.A in.B cin out (nag zaro owll carry .bool)^. 

MAC2.ALU.SPEC rap switch (in.A, in.B, cin) out (nag, zaro.orfl. carry) 


ALU.SPEC ( 

(ADD.WITHOUT.CARRY rap) , 

(ADD.VITH.CARRY rap) , 

(IICREMEIT rap) , 

( SUB .WITHOUT.CARRY rap) , 

(SUB.WITH.CARRY rap) , 

(DECREME ST rap) , 

(BITWISE.AHD rap) , 

(BITWISE.XDR rap) , 

(BITWISE.OR rap) , 

(BITVISE.IOT rap) , 

(ALU.IOOP rap) , 

(ALU.IOOP rap) , 

(ALU.IOOP rap) , 

(ALU.IOOP rap) , 

(ALU.IOOP rap) , 

(ALU.IOOP rap) , 

(DUMMY .MODULE.DEF rap) , (DUMMY .MODULE.DEF rap) , 
(DUMMY .MODULE.DEF rap) , ( DUMMY .MODULE _DEF rap) , 
(DUMMY .MODULE.DEF rap) , ( DUMMY .MODULE.DEF rap) , 
( DUMMY .MODULE _DEF rap) , (DUMMY .MODULE.DEF rap) , 
(DUMMY .MODULE.DEF rap) , (DUMMY .MODULE.DEF rap) . 
(DUMMY.MODULE.DEF rap) , (DUMMY .MODULE.DEF rap) , 
(DUMMY .MODULE.DEF rap) , (DUMMY .MODULE.DEF rap), 
(DUMMY.MODULE.DEF rap) , (DUMMY .MODULE.DEF rap). 


DUMHY.OP) 

•witch (in.A, in.B, cin) out (nag, zaro.ovfl .carry )° 

);; 

lat KAC2.ALU.SPEC - sava.thn 
('HAC2.ALU.SPEC', 
in*tantiata.abstract_daf inition 

‘gan.alu 1 'ALU.SPEC.DEF' alu.spac.daf 


X 

yiald». . . 

MAC2.ALU.SPEC - 

I- !rap switch in_A in.B cin out nag zaro ovfl carry. 

HAC2.ALU.SPEC rap switch(in_A, in.B, cin)out(nag, zaro, ovfl, carry) * 
((•witch - F,F,F,F) -> 

ADD.WITHOUT.CARRY rapCin.A, in.B, cin) out (nag, zaro, ovfl, carry) I 
((•witch ■ F.F.F.T) *> 

ADD.WITH.CARRY rap (in. A, in.B, cin) out (nag, zaro, ovfl, carry) I 
((•witch - F,F,T,F) -> 

IICREMEIT rap (in.A, in_B,cin)out (nag, zaro, ovfl , carry) I 
((•witch ■ F,F,T,T) *> 

SUB .WITHOUT. CARRY rap(in.A, in _B, cin) out (nag, zaro.ovfl , carry) I 
((•witch - F,T,P,F) *> 

SUB. WITH. CARRY rap (in.A, in_B,cin)out (nag, zaro.ovfl, carry) I 
((switch * F,T,F,T) -> 

DECREMEIT rap (in.A, in.B, cin) out (nag, zaro , ovfl, carry) I 
((•witch ■ F,T,T,F) -> 

BITVISE.AID rap(in.A, in.B,cin)out (nag,zaro ,ovfl , carry) I 
((•witch - F,T,T,T) *> 

BITWISE.XOR rap (in. A, in.B, cin) out (nag, zaro, ovfl, carry) I 
((•witch « T,F,F,F) »> 

BITWISE.OR r ap ( in. A, in.B , cin) out (nag, zaro, ovfl, carry) I 
((•witch ■ T,F,F,T) *> 

BITWISE.IOT r ap ( in. A, in.B, cin) out (nag, zaro.ovfl, carry) I 
((•witch ■ T,F,T,F) ■> 

ALU.IOOP r ap ( in. A, in.B, cin) out (nag, zaro.ovfl, carry) I 
((•witch - T.F.T.T) *> 

ALU.IOOP r ap (in. A, in.B, cin) out (nag, zaro.ovfl, carry) I 
((•witch - T.T.F.F) -> 

ALU.IOOP rap (in. A, in.B, cin) out (nag, zaro.ovfl, carry) I 
((•witch - T,T,F,T) -> 

ALU.IOOP rap(in.A, in.B, cin)out(nag, zaro.ovfl, carry) t 
((•witch - T,T,T,F) -> 

ALU.IOOP rap (in.A, in.B, cin) out (nag .zaro.ovfl, carry) I 

ALU.IOOP rap (in.A, in.B, cin) out (nag, zaro.ovfl, carry) )))))))))))))) ) 

Run t iaa : 219.0s 

Intarmadiata thaorans ganaratad: 4104 

X 


lat COID.COIJ.LEMHA - TAC.PR00F 

((□, 

"! (a:bool) (bl xl yl:a) b2 b3 . 
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(a -> ((bl ■ xl) A b2) I C(bl - yl) /\ b3)) - 
((bl ■ (a ■> xl I yl)) A (a m> b2 I b3))"), 

REPEAT GEH.TAC 
THE* CO*D_CASES_TAC 
THE* REWRITE.TAC [] 

);; 

l«t COHD.EQT.LEMMA - TAC.PROOF 

((□. 

"! (a:bool) (bl xl yl:*) b2 b3 . 

(a -> (bl - xl) I (bl - yl)) * 

(bl - (a -> xl I yl))") . 

REPEAT GEH.TAC 
THE* CO*D_CASES_TAC 
THE* REWRITE.TAC [] 

);; 

let COHD.FUHC.LEMMA - TAC.PROOF 
(([],"! (a:*->**) b (c d:*) . 

(b -> (a c) I (a d)) « (a (b »> c I d))"), 

REPEAT GEH.TAC 

THE* BOOL.CASES.TAC "b" 

THE* REWRITE.TAC [] 

);; 

let COHDJTULL.LEMMA - TAC.PROOF 
((□,"! b (c: *) . 

(b ■> c I c) ■ c") , 

REPEAT GEH.TAC 

THE* BOOL.CASES.TAC "b" 

THE* REWRITE.TAC [] 

);; 

let lemma.list “ 

let HAC2.EXPAHDED - 
BTPAHD LET RULE ( 

OHCE.REWRITE.RULE [add.without .carry _def ; 

add.aith.carry.del ; 
increment .del ; 
aub.without.carxy.del ; 
aub.with.carry.del ; 
decrement .del ; 
bitmise_and.de! ; 
bitmise.xor.del ; 
bitmise.or.del j 
bitmise_not.de! ; 
alu.noop.del] KAC2.ALU.SPEC) in 
let rul el ■ SPEC "carry :bool" (STM .RULE EQ.CLAUSE4) and 
rule2 - SPEC "orll:bool" (STM.RULE EQ.CUUSE4) in 
let lemma 1 - PURE OHCE.REWRITE.RULE Crul#l;rule2] KAC2 _EIP A*DED in 
let lemma2 - U*DISCH(lst(EQ.IMP.RULE (SPEC.ALL lemmal))) in 
let lemma3 - PURE.REWRITE.RULE 

[CO*D.COHJ_LEMMA:CO*D_*ULL_LEMMA] Iemma2 in 

COIJUHCTS lemma3 ; ; 
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lat out.laua « sava.tha 
('HAC2.0UT.LEKKA' . 

(GEI.ALL (DISCH_ ALL (al 1 laua.list))) 

);; 

lat n«g.l«ui “ sava.tha 

( ‘KAC2_IEG_LEMHA ‘ , 

(GEB.ALL (DISCH. ALL 

(PURE.REVRITE.RULE [COHD.FUIC.LEMMA] (al 2 l*u« li»t)))) 

);; 

lat Mro.lmt - saTa.tha 
( ‘KAC2.ZER0_LEMHA‘ , 

(GEI.ALL (DISCH. ALL 

(PURE.REVRITE.RULE [COID.FUIC.LEMMA] (#1 3 laua list)))) 

);; 

Xat orfl.laua m sava.tha 
(*KAC2_0VFL_LEHKA‘, 

(GEI.ALL (DISCH. ALL (al 4 laua list))) 

);; 


lat carry. laua • sava.tha 
( ‘HAC2_CARRY_LEMMA * , 

(GEH_ALL(DISCH_ALL 

(PURE.REWRITE.RULE [COID.EQT.LEMMA] (al 5 laua list)))) 

);; 
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3.4.4 The Shifter Unit 

The section presents the ML code that creates the theory shifter _def 


% 

File: d.f.shift.al 

Author: (c) P. J- Windloy 1990 

Dat.: 13 JA« 90 


De script ion: 


Defines a SHIFTER used in 
generic operators from the 


subsequent specifications using 
aurilliary definitions theory. 


Modification History: 


May 16 1990 

Added carry signal for shifter end bits. 




set.search.path (seaxch.pathO 


i [' /muztag/home/windley/hol/tactics/' ; 
* / muzt ag /home /windley /ho 1/ml/ ‘ ; 

]);; 


system */bin/r* shift _def .th' ; ; 
new. theory 'shift.def ;; 


loadf * abstract * ; ; 


map new.parent [‘aux.def '] ; ; 

let rep.ty - abstract .type 'aux.def 'opcode 


let shift er.spec.def * new.def inition 
('SHIFTER.SPEC' , 

•m (rep: ‘rep.ty) switch in.l out . 

SHIFTER.SPEC rep switch in.A out c.flag - 

((switch - (F.F)) •> ((out - (shl rep) in.A) A 
(c.flag - (msb rep) xn.A)) 

(..itch - CP.T)) -> ((out - (.hr r. P ) in.A) A 
(c.f l.g - (l.h r.p) m.A)) 

(..itch - (T.F)) -> ((out - (a«r r.p) in.A) A 
(c.flag “ (l.h r.p) in.A)) 
((out ” in.A) A 
(c.flag ■ F)) 

);: 


I 

I 

I 

)•’ 


.th. 
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lat COID.COIJ.LEMMA - TAC PROOF 

<(□. 

"! (a:bool) (bl xl yl : ») b2 b3 . 

(• »> ((bl - xl) /\ b2) I ((bl - yl) /\ b3)) - 
((bl - (a -> xl I yl)) /\ (a ■> b2 I b3))"). 
REPEAT GEK.TAC 
THE! CO*D_CASES_TAC 
THE* REWRITE TAC [] 

);; 

lat COKD.EQT.LEMMA - TAC PROOF 

((□. 

" ■ (a:bool) (bl xl yl:*) b2 b3 . 

(a -> (bl - xl) I (bl - yl)) - 
(bl - (a «> xl | yl))") , 

REPEAT GEK.TAC 
THEM COKD.CASES.TAC 
THE* REWRITE.TAC [] 

);; 

lat CO*D_FUKC .LEMMA - TAC.PROOF 
((□."! (a: *->**) b (c d:*) . 

(b «> (a c) I (ad))- (a (b -> c I d))"), 

REPEAT GEK.TAC 

THE* BOOL.CASES.TAC "b" 

THE* REWRITE TAC [] 

);; 

lat COKD.KULL.LEMMA - TAC.PROOF 
((□,”! b (c: *) . 

(b -> c I c) - c"), 

REPEAT GEK.TAC 

THE* BOOL.CASES.TAC "b" 

THE* REWRITE.TAC [] 

);; 


lat laaaa.list - 

lat rulal - SPEC "c.flag:bool" (STM. RULE EQ.CLAUSE4) in 

lannal — PURE.OKCE. RE WRITE .RULE (rul a 1] shiftar.apac.daf in 
lat laaaa2 - U*DISCH(fst(EQ_IMP_RULE (SPEC.ALL lannal))) in 
lat lanna3 - PURE.REWRITE.RULE 

[COKD.CORJ. LEMMA ; COID.IULL.LEMMA] lanna2 in 
COIJUICTS laana3; ; 

lat out.lanna - aava.thn 
( * SHIFTER. OUT.LEMMA * , 

(GE*_ALL(DISCH_ALL (al 1 laama list))) 

);; 


lat carxy.lanna - aava.thn 
( * SHIFTER.CARRT.LEMMA ' , 

(GEI.ALL (DISCH.ALL 

(PURE.REWRITE.RULE [COKD.EQT LEMMA] (al 2 laama list)))) 

);; 
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clos#_th«ory() ; 



3.4.5 The Microprogram Counter Unit 


The section presents the ML code that creates the theory mpc_def .th. 
X 


File: def.mpc.ml 

Author: (c) P. J, Vindley 1990 

Date: 18 JAM 90 

Modified : 

Description: 

Defines a function specifying the behavior of the micorprogram 
counter unit. The definition is used in the specification of 
the electronic block aodel and the phase level. 


x 

set.search.path (search_path( ) C [' /muztag/home/windley/hol/tactics/ 4 ; 

* /muztag/home/windley/hol/nl/ * ; 

]);; 


let Library.Root * Vmur t ag /home /aindley /hoi /Library/' ; ; 

set .sear ch.path 

(search.pathO C 

(map (concat Library.Root) 

[ 1 tuple/ 4 ; * decimal/ ' ; 1 assoc/ ']));; 


system 4 /bin/rm mpc.def . th ' ; ; 


nea.theory * mpc.def 1 ; ; 

map nea.parent t 1 tuple 4 ; * aux.thms 4 ] ; ; 

let KPC.UIIT - nev.def inition 
( 4 KPC_UIIT\ 

*’!(mpc:bt6) (opc:bt6) addr cond ireq.f ie sm. 
KPC.UBIT mpc opc addr cond ireq.f ie sm * 
let bt6.inc n ■ (add.bt6 n 1) in 


((cond 

(cond 

(cond 

(cond 

(cond 




(F,F,F)) •> (bt6_inc mpc) I 
(F.F.T)) -> addr | 

(F f T,F) ) *> (add.btC (F f (SID opc)) 4) I 
(F,T,T)) ■> ( (ireq_f /\ ie) •> addr | (btC.inc mpc)) I 
(T,F,F) ) *> (sm ■> addr I (bt6.inc mpc)) I 
(bt6_inc mpc))" 
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clo**_th*ory() 


3.4.6 The State Selectors. 


The section presents the ML code that creates the theory select_def . th. 

X — 

File: def .select .ml 

Author: (c) P. J. Vindley 1990 

Date: 25 May 90 

Description: 

Defines selection functions for the electronic block model state 
and environment . 

Modification History: 


•et.search.path (search.pathO C [ ‘/muz tag /home /w indl ey /hol/t ac t ic s /* ; 

‘/*uztag/home/windley/hol/ml/‘ ; 

]);; 


let Library.Root * ‘ /muztag/home/eindley /hoi /Library/* ; ; 

set. sear ch.path 

(search.pathO • 

(map (concat Library .Root) 

[ ‘tuple/ ‘ ; ‘decimal/ ‘ ; ‘assoc/ ‘] ) ) ; ; 


system ‘/bin/rm aelect.def . th‘ ; ; 
new.theory ‘ select. def * ; ; 
map new.parent [‘ucode.def * ; ‘tuple*] ; ; 
new.type.abbrev (‘time* ,":num M ) ; ; 

X 

Define State and selector functions for s : ti*e->~EBM_state 

let EBM.state * 

** • ( (*wordn)list#*wordn#*wordn#ememory# 
*wordni*wordn#*wordn#*wordn#bt6# 
•wordntevordntbooltbooltucode# (num~>ucode)#bt2)** ; ; 

let EBK.env * "ibool";; 

let Selector.TAC x ■ 

REPEAT GEH.TAC 

THER CORV.TAC (TOP .DEPTH. COIV FUI.EQ.COIV) 
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THEH PURE.OHCE_KEWRITE.TAC Lx] 

THEH BETA.TAC 

THEM REWRITE.TAC [] ; ; 


l«t RagS “ naw.daf inition 
('RagS\ 

”!(t:ti«a) (a:ti*a->*EBM_stata) . 

R.gS s t « FST (a t)" 

lat RagS » prova.th* 

(*RagS‘, 

” 1 (rag : t i»«-> ( *»or dn ) 1 ist ) (»e* : t i»*-> a»a»ory ; 

(p»w pc iv.c ir .ax «br alatch blatch :ti*a->*wordn) 
(■pc : t ina- >bt 6 ) (clk:ti«->bt2) (uro»:nu»->ucoda) 
(■ir:ti«a->ucoda) (iraq.ff iack.ff :ti»a->bool) . 

RagS (\t.(rag t, psw t, pc t, t, iv«c t, 
ir t, war t, »bx t, *pc t, 
alatch t, blatch t, iraq .ff t, 
iack.ff t, nir t, uroia, elk t)) - rag", 

Salactor.TAC RagS 

);; 

lat PswS ■ naw.daf inition 
('PswS' , 

" !(t:tiaa) (s : tima->~EBM_state) . 

PswS s t » FST(SND(s t))" 

);; 

lat PswS - prova„th» 

(*PswS‘ , . 

.. i ( r#g : t ima- > ( * wordn) 1 iat ) (»aa : t iaa-X^aaory ) 

(paw pc ivac ir war abr alatch blatch: tiaa->*wordn) 
(■pc : t i»«- >bt 6 ) (clk:ti»a->bt2) (uro.:nu*->ucoda) 
(»ir:ti«a->ucode) (iraq.ff iack.ff :ti»a->bool) . 

PawS (\t . (rag t , psw t , pc t , ■•■ t , it»c t , 
ir t, aar t, abr t, ape t, 
alatch t, blatch t , iraq.ff t, 
iack.ff t, air t, uroa, elk t)) * paw 4 ', 
Salactor.TAC PawS 
);; 

lat PcS * naw_daf inition 
(‘PcS‘, 

»> ! (t : t ina) (a:tiaa”> ,,, EBM_atata) . 

PcS a t - FST(SHD(SID(a t)))° 

);; 

lat PcS - prova.tha 
( 'PcS ‘ , 

»i ( r «g ; ti*a->(*wordn)list) (■•*:ti*a->*»a»ory) 

(p,w pc ivac ir Bar *br alatch blatch :ti»a->*wordn) 
(»pc:ti*a->bt6) (clk:ti*a->bt2) (urom:nu*->ucoda) 
(■ir:ti»a->ucode) (iraq.ff iack.ff :ti»a->bool) . 



PcS (\t.(rag t, pav t, pc t, aaa t* ivac t, 
ir t, aar t, abr t, ape t, 
alatch t, blatch t, iraq.fl t, 
iack_ff t, air t, urom, elk t)) - pc", 
Salactor.TAC PcS 
);; 


lat MaaS ■ nav.daf init ion 
(‘MaaS 4 , 

* !(t:tiBa) (a : tiae->~EBM_stata) . 

MaaS at- FST (SID (SID (SID (a t))))" 

);; 

lat MaaS * prova.tha 
(‘ManS', 

" ! (rag:tiaa->(a*ordn)liat) (nan: tiaa->*B*aory) 

(pa* pc ivac ir Bar Bbr alatch blatch: tiaa->*vordn) 
(ape: tiaa->bt6) (elk: tia«->bt2) (utob : nua->uc ode) 
(air : time ->ucoda) (iraq_ff iack_lf : tiae->bool) . 

MaaS (\t.(rag t, pav t, pc t, aaa t, ivac t, 
ir t , aar t , abr t , Bpc t , 
alatch t, blatch t, iraq.ff t, 
iack.ll t, nir t, uroi, elk t)) * Ban" , 

Salactor_TAC MaaS 

);; 


lat IvacS * nav.daf init ion 
( 4 IvacS\ 

"•(t:tiaa) (a : tia*~>~EBM_atata) . 

IracS at* FST (SID (SKD(SND (SND (s t)))))" 

);; 

lat IvacS * prov*_tha 
( 4 IvacS 4 , 

"! (rag :tia*-> (awordn) list ) (aaa: tiaa->*B*aory) 

(pav pc ivac ir aar abr alatch blatch :tiaa->*wordn) 
(ape : tia*->bt6) (elk: tia*->bt2) (uroa:nua->ucoda) 
(air : tiaa->ucoda) (iraq.ff iack.ff : tiaa->bool) . 

IvacS (\t . (rag t , pav t, pc t , aaa t , ivac t , 
ir t , aar t , abr t , ape t , 
alatch t, blatch t, iraq.ff t, 
iack_fl t, air t, uroa, elk t)) ■ ivac", 

Salactor.TAC It#cS 

);; 


lat IrS * nav.daf init ion 
( 4 IrS 4 , 

11 ! (t :tiaa) (a :tiaa->*EBM.atata) . 

IrS a t - FST (SID (SID (SID (SID (SID( a t)))))) H 

);; 

lat IrS * prova.tha 
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( * IrS 1 » 

»i( r .»:ti**->(*»ordn)li»t) (aaa:tiaa->*aaaory) 

pI5 pc ivac ir aar abr alatch bl.tch:tia.->.wordn) 
(.pc:tiaa->bt6) (dk:tiaa->bt2) (uroa:nua->ucoda) 
(aL:tiaa->ucoda) (ixaq.fi iack.ff :tiaa->bool) . 

IrS (\t . (rag t. paw t. pc t. aaa t, iwac t, 
ir t, aar t, abr t, ape t, 
alatch t, blatch t, iraq.ff t, 
iack.ff t. air t, uroa, elk t>) ■ ir , 

Salactor.TAC IrS 


let MarS * new_defin.it ion 
(‘MarS 1 , 

"!(t:tiae) (a:tiaa->*EBM_atata) . 

MarS at- FST(SHD(SID(SID(SID(SID(SHD(a t))))))) 


lat MarS » prova.tha 

(‘MarS* , v 

(raB:tiaa->(*wordn)liat) (aaa:tiaa->*aaaory) 

(p»5 pc ivec ir -ar abr alatch blatch :ti»a->*.ordn) 
(ape : tiaa->bt6) (clk:tia.->bt2) (uro.:nua->ucod.) 
( m ir:tiaa->ucoda) (iraq.ff iack.ff :tiaa-> oo 
MarS (\t . (rag t, paw t. pc t, aaa t, ivac t. 

ir t, aar t, abr t. ape t, 

alatch t, blatch t, iraq.ff t, 
iack.ff t. air t, urea, elk t)) - aar", 

Salactor.TAC MarS 


let MbrS * new_def init ion 
(‘KbrS‘, 

« i (t : time) (s : time->~EBH_stat«) • 

MbrS a t - FST (SID ( SID (SID ( SID ( SID ( SID ( SID (a t)))))))) 


lat MbrS - prova.tha 

(‘MbrS', ^ 

« i (rag :tiaa->(*wordn)liat) (aaa:tiaa->*aaaory) 

U pc ivac ir aar abr alatch blatch :tiaa->-ordn) 
(ape : tiaa->bt6) (clk:tiaa->bt2) (uroa:nua->ucod.) 
( m ir :tiaa->ucoda) (iraq.ff iack.ff :tiaa->boo 
MbrS (\t . (rag t, paw t, pc t. aaa t, ivac t, 
ir t , aar t , abr t , ape t , 
alatch t, blatch t, iraq.ff t, 
iack.ff t, air t, uroa, elk t)) - abr", 

Salactor.TAC MbrS 


let MpeS * new_def init ion 
<‘HpcS\ 

*' » (t :ti»e) (e : ti**-> EBM^etete) . V 

WtecS a t - FST(SID(SID(SID(SID(SID(SID(SID(SID(. t))))))))) 
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);: 

l*t MpcS •> proT*_th» 

('MpcS\ 

"! (rag:tiaa->(*wordn)liat) (a«i:tis«->*Mao ry) 

(ps* pc ivac ir aar mb r alatch blatch: tiaa- >*wordn) 
(apc:tiaa->bt6) (elk: tiaa->bt2) (uroa:nua->ucoda) 
(air : t iaa->ucoda ) (iraq_f* iack.lf :tiaa->bool) . 

^cS (\t . (rag t, paw t, pc t, aaa t, irac t, 
ir t, mar t, abr t, ape t, 
alatch t, blatch t, iraq.fl t, 
iack.ff t, air t, uroa, elk t)) ■ ape", 
Salactor.TAC MpcS 
);; 


lat AlatchS * naw.daf inition 


( 'AlatchS* , 

" ! (t : tiaa) (a : tiaa->~EBM_atata) . 

AlatchS at- FST(SHD(SID(SID(SID( 

SND ( SID ( SID (SID (SID (at))))))))))" 


lat AlatchS - prova.tha 
( ‘AlatchS* , 

"! (rag: tima->(*wordn)liat) (aaa: tiaa->*aaaory) 

(pa» pc ivac ir aar abr alatch blatch :tiaa->*wordn) 
(ape : tiaa->bt6) (elk : tiaa->bt2) (uroa :nua->ucod«) 
(air : tiaa->ucoda) (iraq_fl iack.ff : tiaa->bool) . 

AlatchS (\t.(rag t, paw t, pc t, aaa t, ivac t, 
ir t , aar t , abr t , ape t , 
alatch t, blatch t, iraq_ft t, 
iack.ff t, air t, uroa, elk t)) ■ alatch", 
Salactor.TAC AlatchS 
);; 


lat BlatchS - naw.dalinition 
( 'BlatchS' , 


" ! (t : tiaa) (a : tiaa->“EBM.atata) . 

BlatchS at- FST(SID(SID(SID(SID( 

SID (SID (SID (SID (SID (SID (a t) ))))))))))" 




lat BlatchS - prova.tha 
('BlatchS', 

" ! 2 1 iaa-> ( *wor dn) 1 iat ) (aaa : t iaa->*aaaory ) 

(paa pc ivac ir aar abr alatch blatch: tiaa- >*wordn) 
(ape : t iaa->bt6) (elk: tiaa->bt2) (uroa:nua->ueoda) 
(air : tiaa- >ucoda) (iraq_ff iack.ff : tiaa->bool) . 

BlatchS (\t . (rag t, paw t, pc t, aaa t, ivac t, 
ir t, aar t, abr t, ape t, 
alatch t, blatch t, iraq_fl t, 
iack^f t, air t, uroa, elk t)) - blatch", 
Salactor.TAC BlatchS 
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l«t Ir«qS * definition 
( * Ir #qS * » 

11 !(t:tim«) (s : . 

IraaS » t - FST (SHD (SHD (SHD (SID (SHD 

(SID (SID (SID (SID (SID (SID (s t )))))))))))) " 

); ; 


l#t IraqS ■ prova.thm 
('IraqS', 

mi ( r +g-+.'i»«»->(»wordn)li8t) (».-:ti-.->««ory) 

(p»» pc ivac ir mar mbr alatch blatch: tima->..ordn) 

(mpc:tima->bt6) (elk : ti*e->bt2) (urom:num->ucoda) 

(mix:tima->ucoda) (iraq.if iack.lf :tima->bool) . 

IraqS (\t.(rag t. ps» t , pc t, mam t, iv*c t, 
ir t , »ar t , mbr t , *pc t , 
alatch t , blatch t, iraq.il t, 
iack.ff t, air t, uroa, elk t)) * iraq.fl" , 

Salactor.TAC IraqS 

);; 


lat IackS ■ new.daf inition 
(‘lackS* , 

" ! (t : tiaa) 

IackS a t 


(a:tiaa-> , ‘EBM.stata) . 

• FST ( SND ( SHD ( SND (SND ( SHD (SHD ( 

SHD (SHD (SID (SID (SID (SHD (• t )))))))))>>>> " 




lat IackS “ prova.thm 
(•IackS', 

i (rag : t ima-> (*«ordn) list) (mem : t ime-> *memory ) 

(ps» pc ivac ir max mbr alatch blatch: time->*.ordn) 
(mpe :tima->bt6) (clk:time->bt2) (urom:num->ucoda) 
(mix :tima->ucoda) (ireq.ff iack.ff :tima->bool) . 

IackS (\t . (rag t, pa. t, pc t, mam t, ivac t, 
ir t , mar t , mbr t , mpe t , 
alatch t, blatch t, ireq.ff t. 
iack.ff t, mir t, urom, elk t)) - iack.fi", 

Seleetor.TAC IackS 

);; 


lat MirS * naw.daf inition 
('MirS'. 

•••(t:tima) (a:time->*EBM_atate) . 

MirS a t - FST (SID (SID (SID (SID (SID (SHD (SID ( , 

SID (SID (SID ( SID (SHD ( SID (a t ))))))))))))) ) 

); ; 


lat MirS - prova.thm 

(‘MirS 1 , , 

»i(reg:time->(*.ordn)liat) (mem:ti*e->*memory) 

(pa. pc ivac ir max mbr alatch blatch: tim.->*.ordn) 

(mpe :tima->bt6) (clk:tima->bt2) (urom:num->ucoda) 
(»ir : t ima->ucoda ) (iraq.ff iack.ff :tima->bool) . 
MirS (\t . (rag t, pa. t, pc t, mam t, ivac t. 



ix t, «ar t, mbr t, ape t, 
alatch t, blatch t, iraq.ll t, 
iack _fl t, air t, uroa, elk t)) - air", 
Salactor.TAC MirS 
);; 


lat UtobS ■ nav.dal inition 
('UroaS' , 

" ! (t :tiBa) (s :tiaa->-EBM_atate) . 

UtobS at- FST(SJD(SID(SID(SID(SID(SID(SID(SID( 

SID (SID (SID(SID (SID (SID (at)))))))))))))))” 


lat UtobS - prove. tha 
('UtobS* , 

” ? (rag : t iae-> (*wordn) list ) (bob : t iae->*nenory ) 

(paw pc ivec ir Bar Bbr alatch blatch: tiaa->*»ordn) 

(ape ; tiae~>bt6) (elk: time->bt2) (uroa : nun- >ucod«) 

(air : tine- >uc ode) (ireq.fl iack.fl : tiae->bool) . 

UroaS (\t . (rag t, paw t, pc t, aaa t , ivac t, 
ir t, aar t, abr t, ape t, 
alatch t, blatch t, ireq.lf t, 

iack. If t, air t f uroa, elk t)) * (\t :tiaa.uroa) ", 
Selactor.TAC UroaS 
);; 


lat ClkS - new.delinition 
( 'ClkS * , 

11 ! (t : tiaa) (s :tiae->~EBM_ state) . 

ClkS at- SKD(SND(SHD(SND(SHD(SID(SHD(SND(SID( 

SID (SND (SID (SND (SID (SID (s t) ))))))))))))) )« 


lat ClkS - prove.tha 
('ClkS* , 

** * (rag : t iae-> ( *wordn) list ) (aaa : t iae->*aeaory ) 

(psa pc ivac ir aar abr alatch blatch: tiaa- >*vordn) 
(npc : tiae->bt6) (elk : tima->bt2) (uroa :nua->ucoda) 
(air : t iae->ucode ) (ireq.fl iack.fl :tiae->bool) . 

ClkS (\t.(rag t t psv t, pc t, aaa t, ivac t, 
ir t, aar t, abr t, ape t, 
alatch t, blatch t, ireq.fl t, 
rack. 11 t, air t, uroa, elk t)) - elk”, 
Selactor.TAC ClkS 
);; 


X 

Salactors on tha environaent 

lat IraqE - nav.dal init ion 
( ' IraqE * , 

"? (t:tiaa) (a : tiae->~EBH_env) . 

IraqE a t * (a t)" 

);; 
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let IreqE - prove. the 
(‘IreqE', 

»‘i (t:ti*«) (ir#q.#:ti»t“>bool) 
Ir#qE (\t. (ireq.e t)) - ir*q_# 
Selector.TAC IreqE 

);; 


close.theoryO ; ; 


5.4.7 The Electronic Block Model 


The section presents the ML code that creates the theory block_def . th. 
X 


Fila: daf_ block. ml 

Author: (c) P. J. Vindlay 1990 

Data: 12 JAV 90 

Daacription: 

Dafinas tha bahavioral dascription of the alactronic block 
modal . 

Modification History: 

May 16 90 

Updatad to raflact nav da sign. 

— lon-usar ragistara hava baan movad out of ragistar fila. 

— Jump condition calculator is addad. 

— PKUI addad to multiplex input to MAR 

— MAR loads from PKUX 

— Shiftar ganaratas carry out 

— CMUX multiplaxas carry signals fro* ALU and Shiftar 
May 25 90 

Corractad arrors in tha spacif ication: 

— Damuxas must not hava floating linas 

— Virad ORs cannot ba us ad (laad to inconsistacias) 

Ramorad EBM atata aalaction functions and placad in 
daf .aalact .ml . 

Corractad IR.SPEC daf ini t ion to raflact dasirad bahavior. 
Connactad C255 to 6 bus rathar than tha C bus. 

Hay 28 190 

Fix ad IVEC unit so that irac has atata. 

Fixad PC unit aalaction ao that it doasn't fall through. 


% 

aat_saarch_path (aaarch_path() 0 [ ‘ /muztag/homa/windlay/hol/tactics/' ; 

Vmuztag/homa/windlay/hol/ml/ ‘ ; 

]);; 
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let Library.Root 


/*uztag/hoae/windley/hol/Library/‘ ; '* 


set .sear ch.path 

(sear ch.path 0 • 

(»ap (concat Library .Root) 

[‘tuple/ 1 ; ‘decimal/* ; ‘assoc/ 1 ] ) ) * * 


load! ‘abstract 1 ;; 

system ‘/bin/m block. del .th ;; 

new.theory ‘block.del ‘ ; 

■ap ne._par.nt ['alu.def ' ; ' shift _def 1 ; * aux.thw * ! '-P c - d «*‘ : 
'tuple * i ‘regs_def ‘ ; ‘ucode.def ; ju*p_def 3 .. 


load.parent ‘ select. d el ‘ ; ; 

let rap.ty - abstract.type ‘aux.def ‘opcode';; 


Ground 


let G*D * ne._def init ion 
( * GHD * , 

••! out . GHD out « (out » F)" 
);; 


n-bit Mux spec 


let MUX_SPEC » ne._def init ion 
('HUX.SPEC' . 

«! ctl (a:**ordn) b c . 
HUX.SPEC ctl a b c - 
c 9 (ctl m > a 1 b)" 

);; 


1-bit Mux spec 


lat HUX_1_SPEC * new. del init ion 
(‘MUX.1.SPEC‘ , 

•»! ctl (a:bool) b c . 

MUX. 1 .SPEC ctl a b c ■ 
c~ m (ctl -> alb)" 







Latch specification 



let LATCH. SPEC * new.def ini t ion 
(‘LATCH. SPEC', 

" ! (i : time->*wordn) Id out . 

LATCH.SPEC i Id out - 
(! t:ti»e . out ( t + 1 ) ■ Id t ■> i t 

I out t)” 

);; 




Register specification 

x 


lot REG.SPEC ■ new.def init ion 
( ‘REG. SPEC ‘ , 

! (i: ti*e->*wordn) Id out contents . 

REG. SPEC i Id prt out contents * 

! t : tine . 

(contents (t+1) * Id t «> i t | contents t) /\ 
(prt t **> (out * contents))” 

);; 


X 

Flip! lop 


let FF.SPEC * new.def inition 
(‘FF.SPEC* , 

11 ! (in: tine->bool) (Id: ti*e->bool) (q: ti*e->bool) . 
FF.SPEC in Id q * 

■ t:nun . q(t+l ) - ((Id t) -> in t | q t)” 

);; 




Register block 

x 


let REG IS TER. BLOCK * new.def init ion 
( * REGISTER. BLOCK * „ 

"t (rep: *rep.ty) cab 

^ ld.ssp prt.A prt.D prt.B ssp (in: ti»e->*wordn) out A outB psw 
(reg.list :tine->( ewordn) list) . 

REGISTER .BLOCK rep c s b Id ld.ssp prt.A prt.D ssp prt.B 
in outA outB paw reg.list ■ 

!t:ti*e . 

(reg.list (t+1) - 

(Id t) ■> (UPDATE. REG rep (psw t) (reg.len rep (c t)) 

(reg.list t) (in t)) | 

(ld.ssp t) ■> (UPDATE. REG rep (psw t) ssp.reg 
(reg.list t) (in t)) 

I (reg.list t)) /\ 

(prt.A t — > (out A t - (EL (reg.len rep (at)) (reg.list t)))) /\ 
(prt.D t —> (out A t - (EL (reg.len rep (c t)) (reg.list t)))) /\ 
(ssp t — > (out A t - (SSP.REG (reg.list t)))) /\ 
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(prt.B t — > (outB t - (EL (reg.len rep (b t>) (reg.list t))))” 

);; 

X 

Instruction Register v 


lot IR.SPEC * nes.delinition 

^••^(xep^'rep.ty) set prt (in out content. :tin.->*.ordn) 
opc.port dost .port srca.port srcb.port . 

IR.SPEC rop sot prt in out contents 

opc.port dost .port srca.port srcb.port - 

<!t ’ (intent, (t+1) - (••* t) -> in t I content, t) /\ 
(opc.port t * opcode rep (content, t)) A 
(de.t.port t - dest rep (content, t)) /\ 

(srca.port t - area rep (content, t)) A 

(srcb.port t - sreb rep (content, t)) A 

(prt t -«> (out t « (i*» rep (contents t)));; 




PSW Register ^ 


let PSW.SPEC - new.def inition 
( 'PSV.SPEC ‘ , 

•• i (rep:*rep_ty) set (in:ti»e->*»ordn) out content. 

._*m c_»m ._ie c.ie ld.v ld.n ld.c ld.z 
t 1 nl ci zf ie 

PSW.SPEC rep set elk prt in out ie .a content. 
y 1 nl cl zf 

s_.m c.sa s.ie c.ie ld.T ld.n ld.c ld.z - 


( ! t :tine . 


(contents (t+i) * 
((sot t) A (g«t. 
(elk t) -> 

(ak.psw rop ( 
(s.sb t *> T 
(s.io t ■> T 

(ld.T t -> vl 

(ld.n t «> nl 
(ld.c t »> cl 


rop (contents t))) I 


| c.sb t 


> F I (got .SB rop (contents t))), 
| c io t «> F I (got.io rop (contents t))) # 
I (got.vl rop (contents t))), 

I (got.nl rop (contents t)))# 

(ld.c t -> ci I (get.ci rep (content. t)>). 

(ld.z t »> zf I (get.zf rep (content, t))))) I 

(contents t)) /\ 

(sb t * got. sb rop (contents t)) A 
(io t ■ got.io rop (contents t)) /\ 

(prt t —> (out ■ contents) ))" 






JUMP condition calculator 
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lot JUMP_SPEC - now.dof inition 
('JUKP_SPEC\ 

" ! (rop:~rop.ty) d psw out . 

JUMP. SPEC rop d psv out » 

! t : tino . (out t) - JUMP.COID rop (rog.lon rop (d t)) (psw t)" 

) » » 




Hbr 



lot KBR.SPEC * nov.dof inition 

( ‘KBR.SPEC ' , 

** • *®t elk rd.s wr.a (i:tiao->*wordn) valuo bus aoa.port . 
MBR.SPEC sot elk rd.s wr _s i valuo bus lti.port ■ 

( !t :tiao . 

(valuo (t+1) « (((elk t) /\ (rd_s t)) ■> aoa.port t | 

((elk t) /\ (sot t)) ■> i t | valuo t)) /\ 
(*r_s t -*> (aoa.port - valuo))) /\ 

(bus ■ valuo)" 

>;; 

% 

C255 (constant) 



lot C255.SPEC * now_dof inition 
(‘C255.SPEC * t 

"1 (rop: ‘rop.ty) prt out . 

C265.SPEC rop prt out * 

prt ■*> (out * (wordn rop 255))" 

);; 


1 

Intorrupt voctor rogistor spocif ication 




lot IVEC.SPEC * nov.dof inition 
( ‘IVEC.SPEC' , 

• Crop: *rop_ty) prt (out :tiao->*wordn) eontonts . 
IVEC.SPEC rop prt out eontonts ■ 

! t : tiao * 

(eontonts (t+1) - (eontonts t)) /\ 

(prt t **> (out t ■ (int.fotch rop (eontonts t))))° 

);; 


Docodor Spocs 




lot DEMUX. 2.SPEC ■ nov.dof inition 
(‘DEMUX_2.SPEC\ 

"! s oO ol o2 o3 . 

DEMUX. 2_ SPEC s oO ol o2 o3 ■ 

(!t . oO t - ((s t) - (F, F) ) ) /\ 
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(It . ol t ■ ((s t) ■ (F >T) ) ) /\ 
(!t . o2 t * ( (« t) ■ (T,F))) /\ 
(!t . o3 t ■ ((s t) - (T ,T) ) )'* 


l # t DEMUX.3.SPEC - new.def inition 
(‘DEMUX.3.SPEC 1 , 

«* i s oO ol o2 o3 o4 oS 06 o7 . 

DEMUX.3.SPEC s oO ol o2 o3 o4 oB ©6 o7 
( i t . oO t * ((s t) • (F,F,F))) /\ 

(•t . ol t ■ ((* t) * (F,F,T))) /\ 

(!t . o2 t * ((• t) * (F,T,F))) /\ 

(it , o3 t * ((s t) * (F,T»T))) /\ 

(it , o4 t ■ ((* t) ■ (T»F*F))) /\ 

( it , o5t- ((» t) - (T,F,T») A 
(it . 06 t - ((s t) - (T ,T ,F)) ) /\ 

(it . o7 t « ((» t) - (T ,T ,T) ))*' 


% 

Memory 


% 


let MEM * new ..definition 
( f MEM\ 

»• | (rep : ~rep_ty) wr.s rd.s addr data mem. 

MEM rep wr_s rd.s addr data mem ■ 

»t:time . 

(mem (t+1) * f * 

(wr_s t *> store rep (mem t, address rep (addr ), 

| aem t)) /\ 

(rd_s t --> (data t ■ (fatch rap (*a* t. addraaa rap 


(data t)) 
(addr t)))))" 


l 

LOGIC gates 


let 1ND.SPEC * new .definition 
(‘AID.SPEC', 

•• ! a b out . 

AID.SPEC a b out - 

(!t:time . (out t) * (a t) A (b t))" 

);; 

let OR. SPEC * new.def inition 
(‘OR.SPEC* , 

! a b out . 

OR.SPEC a b out - 

( !t : time . (out t) * (a t) \/ (b t)) 

);; 

let 0R.3.SPEC * new .definition 
(‘0R_3_SPEC‘ , 

°! a b c out . 
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0R-3.SPEC a b c out * 

. (out t) - (a t) \/ (b t) \/ (c t))" 

);; 

lot HAR.LOGIC.SPEC ■ now.dof inition 
( ‘HAR.LOGIC.SPEC ‘ , 

M ! paux clk_3 clk_4 aar out . 

HAR.LOGIC.SPEC paux clk_3 clk.4 aar out ■ 

!t:tiao. (out t) * 

((((paux t) /\ (clk_3 t)) \/ ('(paux t) /\ (clk.4 t))) /\ (aar t)) H 

);; 

lot PC.LOGIC.SPEC - now.dof inition 
( ‘PC.LOGIC.SPEC * # 

" • pc.onablo pc.jap.onablo juap.flag out . 

PC.LOGIC.SPEC elk pc.onablo pc. jap.onablo juap.flag out * 

! t : tiao . (out t) - (elk t) /\ 

((pc.onablo t) \/ 

( (pc.jap.onabla t) /\ (juap.flag t)))“ 

) » I 


% 

Data path 




lot DATAPATH * now.dof inition 
( ‘DATAPATH' , 
u ! (rop: “rop.ty) 

aoa rog aar abr alatch blatch ir pc psv ivoc 

iack.ff iroq.ff 

iroq.o 

•aux.a alu.s shft.s abr.s aar.s paux.s cooloct asoloct bsoloct 
a.oa c.sa s.io c.io Id.c Id.v Id.n Id.z csrc.s 
iack.s rd.s wr.s 

OpC XO SB 

clk.l elk. 2 clk_3 clk.4 . 

DATAPATH rop aoa rog aar abr alateh blatch ir pc psv ivoc 
iack.ff iroq.ff 
iroq.o 

aaux.s alu.s shft.s abr.s aar.s paux.s csoloct asoloct bsoloct 
s.sa c.sa s.io c.io ld.c ld.v Id.n ld.z csrc.s 
iack.s rd.s vr.s 
ope io sa 

clk.l elk. 2 clk.3 clk_4 - 

!t :tiao . 

? Abus Bbus Cbus Mux Out Mux In MoaData AluOut Gnd Marin 

rogd.onablo ssp.onablo psv.onablo ir.onablo pc.onablo pe.jap.onablo 

rog.a.onablo rog.sa.onablo ssp.a.onablo 

pav.a.onablo C25S.onablo pe.a.onablo 

rog_b.onablo ivoc.onablo ir.b.onablo 

Id.rog.block ld.ssp ld.ir ld.psv ld.aar ld.pc do.vrito 

dost.s srca.s sreb.s alu.c shift. c cf nf vf zi juap.flag 

pc.a.l pc_a.2 pc_a.3 ir.b.l ir.b_2 

floatO floatl , 

(GID (Gnd t)) /\ 
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(DEMUX.3.SPEC csalact ragd.anabla ssp.anabla psw.anabla 
ir.anabla pc.anabla pc.jmp.anabla 
floatO floatl) A 

(DEMUX 3 SPEC aaalact rag.a.anabla rag.aa.anabla sap.a.anabla 
p,w_a_anabla C266_anabla pc.a.l 
pc.a_2 pc_a_3) /\ 

(0R.3.SPEC pc.a.l pc_a.2 pc_a_3 pc.a.anabla) /\ 

(DEMUX.2.SPEC bsalact rag.b.anabla rrac.anabla 
ir.b.l ir.b_2) A 

(DR.SPEC ir.b.l ir.b.2 ir.b.anabla) /\ 

(AHD.SPEC clk.4 ragd.anabla ld.rag.block) /\ 

(AID.SPEC clk_4 ssp.anabla ld.ssp) /\ 

(REGISTER BLOCK rap dast.s »rca_» arcb.a 

ld.rag.block ld.ssp rag.a.anabla rag.aa.anabla 

sap.a.anabla rag.b.anabla 
Cbus Abus Bbus psw rag) /\ 

(AHD.SPEC clk.4 ir.anabla ld.ir) /\ 

(IR.SPEC rap ld.ir ir.b.anabla Cbuft Bbus ** 
opc dast.s srca.s srcb.s) /\ 

(LATCH.SPEC Abus clk.2 alatch) /\ 

(LATCH.SPEC Bbus clk.2 blatch) /\ 

(IVEC.SPEC rap irac.anabla Bbus ivac) A 
(FF_SPEC iack.s clk_2 iack.ff) /\ 

(FF SPEC iraq.a clk.l iraq.ff) A 

(MUX SPEC (amux.s t) (Muxln t) (alatch t) (MuxOut t)) A 
(MAC2 ALU SPEC rap (alu.e t) (MuxOut t. blatch t.gat.cf rap (pa. *)) 
(AluOut t) (ni t, zf t.vf t. alu.e t)) A 
(SHIFTER.SPEC rap (ahft.a t) (AluOut t) (Cbua t) (ahift.c t)) A 
(MUX. 1. SPEC (csrc.s t) (alu_c t) (shift. c t) (cf t 
(MBR.SPEC mbr.s clk_4 rd.s wr.a Cbus 
»br Muxln MamData) /\ 

(AHD SPEC clk.4 psw.anabla ld.psw) /\ 

(PSW SPEC rap ld.psw elk. 4 psw.a.anabla Cbus Abus ia s» psw 
(vf t) (nf t) (cf t) (zf t) 
s bb c.s* s.ia c.ia Id.v ld.n ld.c Id.z) A 

(JUMP. SPEC rap dast.s psw jump.flag) /\ 

(PC.LOGIC.SPEC clk_4 pc.anabla pc.jmp.anabla jump, ag p 
(REG.SPEC Cbus ld.pc pc.a.anabla Abus pc) A 
(C2BS.SPEC rap (C 2 BB.anabla t) (Abus t)) A 
(MUI.SPEC (pmux.s t) (pc t) (Cbus t) (Marin t)) 

(MAR.LOGIC.SPEC pmux.s clk.3 clk.4 mar.s ld.mar) /\ 

(LATCH .SPEC Marin ld.mar mar) /\ 

(AHD.SPEC clk_4 wr.s do.writa) /\ 

(MEM rap do.writa rd.s mar MamData ■•■)” 




% 

Control Unit 


lat HPC.SPEC ■ naw.daf inition 

( 'HPC.SPEC 1 , . - 

•»i (rap:*rap.ty) elk opc mpe addr.s irq ia sm cond. 

MPC.SPEC rap .pc elk opc irq ia e» addr.a cond.a - 


■pc (t + l) * 

((elk t) *> 

(HPC.UIIT (ape t) (ope t) 

(addr_s t) (cond.a t) (irq t) (ia t) (sa t)) | 

■pc t)" 

);; 

lot HIR_SPEC • nav.daf inition 
('!!IR_SPEC\ 

u ! (air :tiaa->ucoda) elk in 

*k_a alu_» abr.a i&r.i paux.s csalact asalact bsalact 
»-**_■ c_aa_i s_ia_i c_ia_» 

ld_c_s ld_v_s ld_n_s ld_z_s csrc_s ftch_s 

i*ck_s rd_s ir_B addr_s cond_s . 

KIR.SPEC »ir elk in 

amuc.s sh.s alu_s abr_a aar.s paux.s csalact asalact bsalact 
»-•■-« c.si.g s_ia_a c.ia.a 

Id.c.s ld.v.s ld_n_s ld_z_s csrc.s ftch.s 

iack.s rd.a wr_s addr.s cond.s * 
ft :tiaa . 

(■ir (t+1) - (elk t -> (in t) I (air t))) /\ 

(aaux.s t * (Aaux (air t))) /\ 

(ah_s t ■ (Shift (air t))) /\ 

(alu.s t * (Alu (air t))) /\ 

(abr_8 t « (Mbr (air t))) /\ 

(aar.8 t * (Mar (air t))) /\ 

(paux.a t * (Paux (air t))) /\ 

(csalact t * (Trgt (air t))) /\ 

(asalact t ■ (SreA (air t))) /\ 

(bsalact t ■ (SreB (air t))) /\ 

(*-•■_» t » (S_sa (air t))) /\ 

(c_sa_s t ■ (C_sa (air t))) /\ 

(a.ia.s t - (S_ia (air t))) /\ 

(c.ia.s t ■ (C.ia (air t))) /\ 

(ld.c.s t - (Ld_c (air t))) /\ 

(ld.T.s t * (Ld.r (air t))) /\ 

(ld.n.a t - (Ld.n (air t))) /\ 

(Id.z.s t » (Ld.z (air t))) /\ 

(csrc.a t - (Care (air t))) /\ 

(ftch_» t ■ (Ftch (air t))) /\ 

(i*ck_* t - (leek (air t))) /\ 

(rd_» t » (Rd (air t))) /\ 

(*r_* t - (Vr (air t))) /\ 

(addr.s t “ (Address (air t))) /\ 

(cond.s t - (Cond (air t)))" 


l*t CLOCK. SPEC * n*«_d«f inition 
(‘CLOCI.SPEC* , 

"! elk clk.l clk_2 clk_3 clk_4 . 

CLOCK.SPEC elk clk.l clk_2 clk_3 clk_4 - 
!t:tia« . 

(elk (t+1) - (((elk t) - (F,F) ) -> (F,T) I 
((elk t) - (F,T) ) -> (T,F) I 
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((elk t) - (T,F» -> (T.T) I (F,F) )) /\ 

(clk.l t - (elk t - (F,F) ) ) /\ 

(clk.2 t * (elk t * (F ,T) ) ) /\ 

(elk. 3 t ■ (elk t « (T*F) ) ) A 

(clk.4 t - (elk t - (T,T)))" 


lot COHTROL.UHIT - naw.dsf inition 
( ' COKTROL.UHIT 4 , 

... ( r .p:-r*p.ty) (apc:tiae->bt6) (air:tiae->ucode) elk 
(uroa: (tine->nuB->ucode) ) 

elk 1 clk_2 clk_3 clk_4 , 

uux s sh * alu.s abr.s nar.s pnux.s elect aselect bselect 

s.ea’c.sas.ie c.ie ld.c ld.T ld.n ld.z csrc.s ftch.s 
iaek.s rd.s *r.s 
ope ia ireq.i . 

COHTRQL.UHIT rep 

ape mix elk urom 

elk 1 clk_2 clk_3 clk.4 

mux nhs alu.s abr.s nar.s pnux.s cselect sselect bselect 
S.SnC.SB S_i# C.ie ld.c ld.T ld.n ld.Z C8rc_8 ftch.8 
iaek.s rd.s wr.s 
ope sm ie ireq.t * 

? addr.s cond_s . .w\ 

(MPC SPEC rep ape clk.4 ope ireq.f ie sa addr.s eond.s) /\ 

(MIR.SPEC air clk.l (Yt.(uroa t (bt6_val (ape t))) 

aaux 8 sh 8 alu.s abr.s aar.s paux.s cselect aselect bselect 
s.sa'c.sa s.ie c.ie ld.e ld.T ld.n ld.z csrc.s itch.s 
iaek.s rd.s wr.s addr.s cond.s) /\ 

(CLOCK.SPEC elk clk.l clk_2 clk_3 clk_4)” 


X 


Define State and selector functions for s : tine ->*EBM_st ate 


let EBM.state - 

i» . ((* WO rdn)list#*wordni*wordn#**«»ory# 
*wordnt*wordnt*wordnf*wordnfbt6# 

ewordnf *wordn#bool#booltucode# (nua->ucode) #bt2) " ; ; 


let EBM.enT - ":bool";; 


X 

Define Electronic Block Model 

This definition uses the selection functions on the state and 
enwironaent defined in def. select. al. This is done in order 
to hawe the definition be of the for "EBH rep > e - ... 
that it can be used with the generic interpreter theory. 


X 


let EBM.def » new .definition 
(‘EBM.def ‘ , 
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"! (rap:*rap_ty) (a : tiBa->*EBM_atata) (aitiBa-VEBM.ajiY) . 

EBH rap 8 • > 

? bbux.s alu.s shft.a Bbr.a aar.a paux.a caalact aaalact 
baalact 

c_a* a.ia c.ia ld_c ld.v ld.n Id.z care. a 
iack.a rd.a wr.a ftch.a 
ope ia sa 

clk.l clk.2 clk_3 clk_4 . 

(DATAPATH rap 

(HamS a) (RagS a) (MarS a) (HbrS a) 

(AlatchS a) (BlatchS a) (IrS a) (PcS a) (PaaS a) 

(IracS a) (IackS a) (IraqS a) 

(IraqE a) 

*lu_a ahft.a abr.a aar.a paux.a caalact aaalact 

baalact 

8_*b c.aa a.ia c.ia Id.c ld.v ld.n ld_z care. a 
iack.a rd.a ar.s 
ope ia SB 

clk.l clk.2 clk.3 clk.4) /\ 

(COITROL.UHIT rap 

(HpcS a) (MirS a) (ClkS a) (UroaS a) 
clk.l clk_2 clk.3 clk_4 

aauz.s ahft.a alu.a abr.a aar.a paux.a caalact aaalact 
baalact 

8 - fl * a.ia c.ia ld.c ld.v ld.n Id.z care. a ftch.a 

iack. a rd.s wr.s 

ope aa ia (IraqS a))” 

);; 

lat EBH * aars.tha 

(‘EBM < , 

6EI.ALL ( 

PURE.OICE_REVRITE.RULE 

[R*gS ; PswS ; PcS ;M« bS ; I v«cS ; IrS ; MarS ; 

MbrS ; MpeS ; AlatchS ; BlatchS ; IraqS ; 

IackS ; MirS ; UroaS ; ClkS ; IraqE] ( 

SPECL [“rap : *rap_ty" ; 

"(\t . (rag t, psa t, pc t, aa> t, irac t. 
ir t, aar t, Bbr t, ape t, 
alatch t, blatch t, iraq_lf t, 

t, air t, utob, elk t)) : tiBa->*EBM_stata"; 
"(\t. (iraq_a t) ) :tiBa->*EBM_aaT"] EBM daf)) 

);; 


lat EBM_axpandad ■ sava_tha 
CEBH.azpandad' , 

COKV.RULE (TOP.DEPTH.COIV BETA.COIV) ( 
PURE_0«CE_REVRITE_RULE [ 

CID ; MUX. SPEC ;MUI_ 1_SPEC j UTCH.SPEC ; REG.SPEC ; 
FF.SPEC ; REGISTER.BLOCK ; IR.SPEC ; PSV.SPEC ; 

JUMP .SPEC ;MBR_SPEC ; C2SS.SPEC ; DEMUI.2.SPEC ; 
DEMUX.3.SPEC ;MEM; AMD.SPEC ; OR.SPEC ;0R_3_SPEC ; 
HAR.LOGIC.SPEC ;PC_L0GIC_SPEC; 

MPC.SPEC ; MIR.SPEC ; CLOCK. SPEC ; IVEC.SPEC 
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PURE.OHCE.REVRITE.RULE [DATAPATH; COHTROLJJIIT] ( 
SPEC. ALL EBM) ) ) 

);; 


% 


Daf ina a function that naps EBM stat. to th. EBM count.r. 


l*t GatEBMClock - n*w.d*f inition 
(‘GatEBMClock' , 

" !(r*p:‘r*p_ty) (rag: (Mordn)liat) (aaa:*aaaory) 
(pa* pc i*ae ix aar abr alateh blatch:*wordn) 

(ape :bt6) (clk:bt2) (uroa:nua->ueoda) (air:ucod*) 
(iraq.ff iack.ff int_*:bool). 

G*tEBMClock rap (rag, paw, pc, aaa, ivac, ir, aar, 
alateh, blatcb, iraq.ff, iack.ff, 
(int_e) * •xsbool.F” 


X 


■br , mpe, 
mix, utob, 


elk) 




X 

Define the start state 


l#t EBM.Start * nes.def inition 
( ‘EBK.Start ‘ , 

"EBM.Start * Cx:bool.F" 

);; 

closejtheoryO ; ; 
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3.5 The Phase-Level 


This section presents the theories that define the phase-level interpreter. Also presented is the theory 
that verifies the phase— level interpreter with respect to the electronic block model. 


8.5.1 The Microcode Assembler 

The section presents the ML code that defines the microcode assembler. 
X 


Fill: ucoda_aux.nl 

Author: (c) P. J. Vindlay 1990 

Data: JUII 23, 1990 

Modified: 

Dascription: 

Dafinas tha ML functions and constants nacassary to dascriba 
tha microintr cut ions. This fila is loadad by savaral filas 
that draft thaorias. 


x 

sat.saarch.path (saarch_path( ) C [ ‘ /muztag/homa/windlay/hol/tactics/ ' ; 

* /muztag/homa/windlay/hol/ml/ ' ; 

]);; 


lat Library, toot - ' /muz tag/hona/windl ay /hoi /Library/* ; ; 

sat.aaarch.path 

(saarch.pathO < 

(map (concat Library.Root ) [‘dacimal/* ; ‘assoc/* ; *tupla/*])) ; ; 


l 

A microinstruction has tha following format: 


Bits 

Mnaumonic 

Dascription 

1 

AMUX 

Toggla MUX on A -bus 

2 

SHFT 

Shiftar function 

4 

ALU 

ALU function 

1 

HAR 

Load MAR from P-Mux 

1 

KBR 

Load MBR from C-bus 

1 

PNUX 

Toggla MUX loading MAR 

3 

SRCA 

A-bus sourca (includas SSP) 

2 

SRCB 

B-bus sourca 
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3 


7RGT C-bus target (includes SSP) 

1 S_SM Set euperviaory node bit in PSW 

1 C_SM Clear euperviaory node bit in PSW 

I g I£ Set interrupt enable bit in PSW 

1 C ie Clear interrupt enable bit in PSW 

1 LD_C Load carry bit in PSW 

1 LD_V Load overflow bit in PSW 

1 LD_H Load negative bit in PSW 

1 LD_Z Load zero bit in PSW 

1 CSHC Source of carry (ehifter or alu) 


l HCK Interrupt acknowledge aignal 

1 FTCH Fetch eignal 

1 rd Read aignal 

1 VR Write aignal 


3 COHD Microcode jump condition 

6 ADDR Kext addreaa 


% 


Shifter mnuenonics 


1st shl - "(P.F)"; ; 


1st shr - *’(F,T)"; ; 


1st ssr • "(T.F)";; 


1st nsh - "(T.T)"; ; 



%- 


ALL 

f mnueaonics 

let 

add * 

•’(F.F.F.F)"; ; 

let 

sddc - ••(F.F.F.T)";; 

let 

inc * 

“(F.F.T.F)"; ; 

let 

sub * 

"(F.F.T.T)"; ; 

let 

aubc 

- "(F.T.F.F)";; 

let 

dec * 

"(F.T.F.T)";; 

let 

band 

- "(F.T.T.F)";; 

let 

bzor 

- “(F.T.T.T)" ; ; 

let 

bor ■ 

■ "(T.F.F.F)";; 
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l*t bnot - "(T.F.F.T)";; 
l*t nop - "(T.F.T.F)";; 




Register anuaaonica 




rag.fila - "(F.F.F.F)";; 
lat sap - " (F,F,F,T)"; ; 
lat ir - "(F.P.T.F)"; ; 
lat paw - "(F.F.T.T)";; 
lat pc - "(F.T.F.F)";; 
lat pej « " (F.T.F.T) " ; ; 
lat aar - "(F.T.T.F)"; ; 
lat abr - "(F.T.T.T)"; ; 
lat aorag - "(T.F.F.F)"; ; 
l»t aar_gata_pc - "(T.F.F.T)”;; 
lat rag.daat - "(T.F.T.F)";; 
lat C266 - "(T.F.T.T)";; 
lat irac - "(T.T.F.F)"; ; 



Tba affact ol a aicroiaatructioa oa tha major coapoaaata of tha 
datapath ia daacribad by an 5-tupla: 

Opar (targat, ahiftarop, aourcaA, aluop, aourcaB) 

Targat ia tha targat ragiatar 
SourcaA ia tha ragiatar fad to tha A-latch 
SourcaB ia tha ragiatar fad to tha B-latch 
AluOp ia tha AluOp appliad to SourcaA and SourcaB 
ShiftarOp ia tha ahiftar oparation appliad to tha raault of 
AluOp 


■X 


lat Procaaa.Trgt x « 

(x - rag_fila) ■> "(F.F.F)" I 
(x - aap) »> "(P.F.T)" I 
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(x ■ ps») m > "(F,T»P) I 

(x - ir) -> "(F.T.T)" I 

(x - pc) -> "(T.F.P)" I 

Cx - pc j ) -> "(T.F.T)" I 

"(T,T,F)" ; ; 


let Process.Srca x * 

(x ■ reg.file) m> "(F,F,F)" I 

(x * reg.dest) *> ”(F,F,T)" I 

(x » ssp) *'(F,T,F) I 

(x * pse) "(F,T,T) I 

(x * C255) m> ,, (T,F,F) I 
" (T,F,T)° ; ; 


let Process.Srcb x * 

(x * reg.lile) "(F,F) U I 
(x ■ ivec) m> M (F,T)" I 
° (T,F)° ; ; 


let Process.KBR x * 

(x * »br) -> "T" I "F"; ; 


let Process.MAR x ■ 

((x - *ar) or (x ■ mar.gets.pc) ) *> "T" 


"F" ; ; 


let Process.PKUX x - 

(x ■ »ar_gets_pc) *> "T" I 1 F ; ; 

let Process. XMUX x - 

(x - abr) -> "T" I "F" ; ; 

let Oper (trgt, sop, srca, sop, srcb, special) 
*' (~ (Process _AHUX srca) , 

~sop, 

~aop, 

~ (Process _MBR special), 

*(Process_MAR special) , 

- (Process.PKUX special), 

“ (Process.Trgt trgt), 

* (Process J3rca srca), 

* (Process.Srcb srcb))' 1 ;; 




Oper (reg.f ile ,nsh,reg_f ile , add, ir ,noreg) , , 

Oper (reg.fils , shl ,»br , band , reg.l ile , aar ) ; ; 


The PSV loading is given by PSW.Control: 

1 S Sfl Set supervisory »ode bit 


in PSV 


1 

C.SM 

Clear supervisory node bit in PSV 

1 

S.IE 

Set interrupt enable bit in PSV 

1 

C.IE 

Clear interrupt enable bit in PSV 

1 

LD.C 

Load carry bit in PSV 

1 

LD_V 

Load overflow bit in PSV 

1 

LD.M 

Load negative bit in PSV 

1 

LD.Z 

Load zero bit in PSV 

1 

CSRC 

Source of carry (shifter or alu) 


let set.sa ■ 1 ; ; 

let clr.sn » 2;; 

let set.ie ■ 1; ; 

let clr.ie * 2;; 

let pass ■ 3; ; 

let ld.from.alu * 1 ; ; 

let ld.fron.shif tar * 2; ; 

let ld.vf * 4; ; 

let ld.nf * 4 ; ; 

let ld.zf "4;; 


let Set.PSV (si, ie ,vf ,nf ,cf ,zf ) * 

”("((sm - set.sm) «> "T" I "F"), 

*((sm « clr.sn) «> "T" I "F”), 

~((ie » set.ie) «> M T H I "F") , 

"((ie - clr.ie) »> *'T # ' | "F"). 

*((cf ■ ld.fron.alu) or (cf * Id.froa.shifter) *> °T M I H F*'), 

*((▼1 - ld.v f) ■> "T** I ••?")• 

"((nf « ld.nf) -> "T" I “F”). 

"((zf - ld.zf) -> "T" I "F*') , 

"((cf * ld.fron.alu) «> "T" | “'F^) ) " ; ; 


X 

Set.PSV (sat. SB, clr.ie, pass, pass, pass, pass);; 

Set.PSV (pass, pass, ld.fron.alu, ld.vf, ld.nf, ld.zf);; 
Set.PSV (pass, pass, ld.fron.shif ter, ld.rf, ld_nf, ld.zf ) ; ; 


% 

X 

Ths external signals are described by a function EztSig 

% 
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let rd * 1 ; ; 


let wr - 2; ; 

let no_mem_op - 3 ; ; 

let i_ack - "T" ; ; 

let off - "F";; 

lot in_fetch * W T* \ \ 

lot Process J!em_Op memop - 
(memop * 1) *> *' (T,F)° I 
(memop -2) «> "(F,T)" I 
" (F,F) n ; ; 

lot EztSig (iaction.f etch.memop) * 
" (*iaction, 

‘fetch, 

“ (Process.Mem.Op memop) ) u ; ; 


X 

ExtSigCoff ,off ,rd) ; ; 

ExtSig(i_ack, in.f etch,no_mem_op) ; ; 

X 


Tho noxt micro instruction is choson by 


tho rosult of 


Hpc (cond, address) 

Tho cond field can take tho following values: 


Value Meaning 


stop 

jmp 

jop 

jint 

jsn 


Increment the program countor and go there 
Jump unconditionally 

Jump relative to mpc based on current opcode 

Jump on interrupt 

Jump in supervisory mode 


Step is the default. 


-X 


let step * "(F.F.F)";; 
let jmp * M (F,F,T)"; ; 
let jop * M (F ,T,F)" ; ; 
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l*t jint - "(F,T,T)’'; ; 


l«t ju - "(T,F,F)"; j 

l*t Hpc (cond, addr) » "(*cond, *addr)";; 
l*t TEST.ADDR - "(F,F,F,F,F,F)“; j 

X 

Mpc (at «p , TEST.ADDR ) ; ; 

Hpc( jint, TEST.ADDR) ; ; 

1 
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8.5.2 The Microcode Definition 


The section presents the ML code that creates the theory ucode.def .th. 


% 

Fil*: def.ucode.ml 

Author: (c) P. J- Vindley 1990 

Date: JOT 23. 1990 

Modified: 


Description: 

Defines the microcode for the machine in an abstract way. 

A mnuemonic microassmbly langauge is defined. The theorems 
necessary for assembling the code are proven. The assembler is 
actually defined in the file that defines the actual microcode 
for the machine . 


In addition a type for the assembled microcode, the structure 
of the assembled microcode, and selector® on the assembled 
microcode are defined. 


— X 


set .sear ch.path (search.pathO • 


[ * /muztag/home/windley/hol/tactics/ ; 

* /muztag/home/windley/hol/ml/* ; 

]);; 


let Library.Root - '/mumtag/home/windley/hol/Library/' ; ; 
set. sear ch.path 

( “ # “mip P (concat Library .Root) [‘decimal/* ; ‘assoc/' ; ‘tuple/'])) ; ; 
system 1 /bin/rm ucode.def . th f ; ; 
new.theory ‘ucode.£ef * ; ; 
map new.parent [*tuj^le ] ; ; 

X 

l microinstruction has the following format: 


Bits Hneumonic Description 

1 AKUX Toggle MUX on A-bus 

2 SHFT Shifter function 



4 

ALU 

ALU function 

1 

MAR 

Load MAR froa P-Mux 

1 

KBR 

Load MBR froa C-bus 

1 

PMUX 

Toggla MUX loading MAR 

3 

SRCA 

A -bus aourca (includaa SSP) 

2 

SRCB 

B-bua aourca 

3 

TRGT 

C-bus target (includas SSP) 

1 

S.SM 

Sat supervisory aoda bit in PSW 

1 

C_SM 

Claar supervisory aoda bit in PSV 

1 

S.IE 

Sat intarrupt anabla bit in PSV 

1 

C.IE 

Claar intarrupt anabla bit in PSV 

1 

LD.C 

Load carry bit in PSV 

1 

LD.V 

Load overflow bit in PSV 

1 

LD.B 

Load negative bit in PSV 

1 

LD_Z 

Load zaro bit in PSV 

1 

CSRC 

Sourca of carry (shiftar or alu) 

1 

IACK 

Intarrupt acknowledge signal 

1 

FTCH 

Fateh signal 

1 

RD 

Read signal 

1 

VR 

Vrita signal 

3 

COHD 

Microcode jump condition 

6 

ADDR 

Mart address 


X 

% 

Load the ucoda auxilliary file. 

X 


load f *ucode_aux r ; ; 

i 

low define a type for ucoda. 

X 

new_type_abbreT( ‘ucoda ' , 
type.of 

" ( * (Oper (r ag_f ila , ash ,reg_f ila , add , ir , norag ) ) , 

*(Set_PSV (past, pass, ld_froa_alu t ld_rf, ld_nf * ld_zf)), 
* (ExtSig(i_ack ,in_f etch, no jaea.op) ) , 

- (Hpc ( j int , TEST.ADDR) ) ) " 

); ; 


x 

Hara a ra tha salactora for tha aicrocoda 

X 


lat Aaux ■ naw.daf inition 
(‘Aaui‘, 

"I (ax: bool) (sh:bt2) (al:bt4) (ma ab pc r w ia f :bool) 
(asa csa aia cia lcf lvf Inf lzf lal:bool) 

(tg:bt3) (sa:bt3) (sb:bt2) (jc:bt3) (ad:bt6) . 

Aaux ((ax,sh, al,ab,aa,pc,tg,sa,sb) , 
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(ssm, csm, si* ,ci*,lcf ,lvf ,lnf ,lzf ,1*1) , 

(ia,f ,r ,v) , 

(jc.ad)) » *x" 

);; 

l#t Shiit - n*»_d*f inition 

(‘Shift*. • „ v -n 

**! (ax: bool) (sh:bt2) (al:bt4) (■* mb pc r * i* i:bool) 

(gia csi si* ci* lcf lvf lid lzf 1*1. bool) 

(tg:bt3) (a*:bt3) (sb:bt2) (jc:bt3) (ad:bt6) . 

Shift ((ax,sh,al,mb,ma,pc,tg,sa,sb) , 

(ssm,csm,si*,ci*,lcf ,lvf ,lnf ,lzf ,1*1) , 

(ia,f ,r,*). 

(jc.ad)) - sh" 

);; 

l*t Alu - n*w_d*f inition 

(‘Alu‘, • , V ,t 

*' ! («x:bool) (sh:bt2) C*l:bt4) (ma mb pc r w l* f:bool) 

(ssm cs* si* ci* lcf lvf Inf lzf lal:bool) 

(tg:bt3) (s*:bt3) Csb:bt2) (jc:bt3) (ad:bt6) . 

Alu ((ax,sh,al,mb,*a,pc,tg,sa,sb) , 

(ss*,csm,si*,ci* ,lcf ,lvf ,lnf ,lzf ,1*1) , 

(ia,f ,r,m) , 

(jc.ad)) « *1" 

);: 

l*t Mbr “ n**_d*f inition 

(‘Mbr‘, . . . 

»i (*x:bool) (sh:bt2) (al:bt4) (m* mb pc r ■ l* f:bool) 

(ssm csm si* ci* lcf lvf Inf lzf lal:bool) 

(tg:bt3) (s*:bt3) (sb:bt2) (jc:bt3) (ad:bt6) . 

Mbr ((ax,sh,al,mb,ma,pc,tg,sa,sb) , 

(ssm,csm,si*,ci* ,lcf ,lvf , Inf , lzf ,1*1) , 

(i*,f ,r ,*) , 

(jc.ad)) - mb" 

);; 

l*t Mar “ n**_d*f inition 

('Mar‘. . , . i, 

! (*x:bool) (sh:bt2) (*l:bt4) (m* mb pc r m i* f :bool) 

(••■ csm si* ci* lcf lvf Inf lzf lfclibool) 

(tg:bt3) (s*:bt3) (sb:bt2) (jc:bt3) (*d:bt6) . 

Mar ((*x,sh,*l,mb,m*,pc,tg,s*,sb) , 

(ssm, csm, si*, ci*, lcf , lvf ,lnf ,lzf ,1*1) , 

(i*,f ,r,m) , 

(jc.ad)) - ma" 

);; 

1st Pmux * n**_d*f imt ion 
(‘Prnux* , 

"!(ax:bool) (sh:bt2) (al:bt4) (ma mb pc r m ia ftbool) 
(ssm csm si* ci* lcf lvf Inf lzf lal-.bool) 

(tg:bt3) (sa:bt3) (sb:bt2) (jc:bt3) (ad:bt6) . 

Pbux ( (az , sh , al ,mb ,ma ,pc , tg , sa, sb) , 
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(aaa , caa , aia , c ia , lcf , Irt f Inf , Izf , 1*1 ) , 

(ia,f ,r,w) . 

(jc.ad)) - pc" 

);; 

lat Trgt ■ naw.daf inition 

( * Tr gt * , 

”!(ax:bool) (sh:bt2) (al:bt4) (aa ib pc r f ia f:bool) 
(aaa can aia cia lcf lvf Inf Izf lal:bool) 

(tg:bt3) (sa:bt3) (ab:bt2) (jc:bt3) (ad:bt6) . 

Trgt ( (ax,ah,al ,nb,aa,pc,tg,aa,8b) , 

(m, caa, aia, cia, lcf ,lTf ,lnf ,lzf ,lal) , 

(ia»f ,r ,w) , 

(jc.ad)) - tg" 

>;; 

lat SrcA ■ naw_daf inition 

(‘SrcA* , 

"!(ax:bool) (ah:bt2) (al:bt4) (aa ib pc r v ia frbool) 
(asm cam sia cia lcf lvf Inf Izf lal:bool) 

(tg:bt3) (sa:bt3) (sb:bt2) (jc:bt3) (ad:bt€) . 

SrcA ((ax,ah,al,nb,aa,pc,tg,aa,ab) , 

( asm , can ,sia, cia, lcf ,lvf ,lnf ,lzf ,lal) , 

(ia,f ,r,w), 

(jc.ad) ) * aa" 

);; 

lat SrcB * naw_daf inition 

('SrcB', 

** !(ax:bool) (ah:bt2) (al:bt4) (aa ab pc r v ia f:bool) 
(asm can aia cia lcf lvf Inf Izf lal:bool) 

(tg:bt3) (aa:bt3) (ab:bt2) (jc:bt3) (ad:bt6) . 

SrcB ((ax,ah,al,ab f Ba,pc,tg f aa.ab) , 

(aaa^aa, aia, cia, lcf ,lvf ,lnf ,lzf ,lal) , 

(ia.f ,r ,w) , 

(jc.ad)) * ab'' 

);; 


lat S_aa * naw_daf inition 
(‘S.aa 1 , 

"!(ax:bool) (ah:bt2) (al:bt4) (aa ab pc r v ia f:bool) 
(aaa caa aia cia lcf lvf Inf Izf lal:bool) 

(tg:bt3) (aa:bt3) (ab:bt2) (jc:bt3) (ad:bt6) . 

S_aa ((az,ah, al ,ab,aa,pc,tg,aa,ab) , 

(aaa, caa, aia, cia, lcf , lrf ,lnf ,lzf ,lal) , 

(ia,f ,r,v) , 

( jc ,ad) ) - aaa" 

);; 

lat C_aa * naw.daf inition 
(‘C.aa* . 

"! (ax: bool) (ah:bt2) (al:bt4) (aa ab pc r v ia f:bool) 
(aaa caa aia cia lcf lvf Inf Izf lal:bool) 

(tg:bt3) (aa:bt3) (ab:bt2) (jc:bt3) (ad:bt6) . 
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C sa ((ax.sh.al.nb.aa.pc.tg.sa.sb), 

(... . c«a . .i* . ci* . lcf . lvl . Ini . 1*« . 1*1 > > 
(ia.i.r,*). 

(jc.ad)) - esa" 


l*t S_i. “ n.s.d.iinition 

( 'M(M-.bool) (.h:bt2) (al:bt4) (aa mb pc r * ia i:bool) 
(•sa cea si* ci* lei It! Ini lzi lal:bool) 

(tg:bt3) (sa:bt3) (sb:bt2) (jc:bt3) (ad:bt6) . 

S_i* ((ax.sh.al.ab.as.pc.tg.sa.sb), 

(ssa, esa, si., ci., lei ,lrt ,lnf ,lzi ,lal) • 

(ia.i ,r,w) , 

(jc.ad)) « ai*" 

);; 


l«t C_ie * new_def iaition 

( -^u-bool) (sh:bt2) (al:bt4) (aa ab pc r * ia i:bool) 
(ssa CM si. ci. lei lTi ini lzi lal ; b ^> 

(tg:bt3) (sa:bt3) (sb:bt2) (jc:bt3) (ad:bt6) . 

C_i. ((ax.sh.al.ab.as.pc.tg.sa.sb). 

(ss*,csa,si«»ci«,lc* ,lal) , 

(ia.f ,r »w) , 

( jc ,ad) ) * cie" 

);; 


let Ld_c * new.delinition 

( "KM-bool) (sh:bt2) (al:bt4) (aa ab pc r ■ ia i:bool) 
(ssa esa si. ci. lei lTi ini lzi lnl:bool) 

(tg:bt3) (sa:bt3) (sb:bt2) (jc:bt3) (ad:bt6) . 

U_c ((ax.sh.al.ab.as.pc.tg.sa.sb). 

(ss»,cs»,»ie f cie,lcf ,lT*,lnf »lzf ,lal) , 

(ia,f *r ,w) , 

(jc.ad)) - lef" 


let Ld_T * new_def inition 

(,, ^(ax:bool) (sh:bt2) (al:bt4) (aa ab pc r * ia l:bool) 
(ssa esa si. ci. lei lri Ini lxi lal:bool) 

(tg:bt3) (sa:bt3) (sb:bt2) (jc:bt3) (ad:bt6) . 

Ld_T ((ax.sh.al.ab.as.pc.tg.sa.sb). 

(»»»,cam,»ie t cie,lcl ,1 t 1 ,lnl,l xl.lal) , 

(ia,f ,r ,w) , 

(jc.ad)) - lri” 


let Ld_n ■ new.def inition 

( «K« bool) (sh:bt2) (al:bt4) (aa ab pc r * ia i:bool) 
(ssa esa si. ci. lei It! Ini lzi lal:bool) 

(tg:bt3) (sa:bt3) (sb:bt2) (jc:bt3) (ad:bt6) . 
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Ld_n ((ax,sh,al,mb,na,pc,tg,aa,sb) , 

(asm, cam, ais, cis , lef ,lvf ,lnf ,lzf ,lal) , 

(ia,f ,r,»), 

( jc ,ad) ) - lnl' 1 

);; 

1st Ld.z * nsw.dsf inition 

('Ld.z', 

M ! (ax: bool) (ah:bt2) (al:bt4) (ma ib pc r v ia frbool) 
(asm cam sis cis lef 1 rt Inf lzf Xal:bool) 

(tg:bt3) (aa:bt3) (ab:bt2) (jc:bt3) (ad:bt6) . 

Ld_z ((ax,sh,al,nb,ma,pc,tg,sa,sb) , 

(asm, cam, sis, cis, lef ,lvf, Inf , lzf , lal) , 

(ia.f ,r,w), 

(jc.ad)) - lzf" 

);; 

lat Care * nsv.dsf inition 

('Care 4 , 

**!(ax:bool) (ah:bt2) (al:bt4) (ma mb pc r w ia f:bool) 
(aam cam si* cis lef lvf Inf lzf lal:bool) 

(tg:bt3) (sa:bt3) (sb:bt2) (jc:bt3) (ad:bt6) . 

Care ((ax,sh,al ,mb,ma,pc ,tg,sa,sb) , 

(asm, cam, ais, cis, lef ,lvf ,lnf ,lzf ,lal) , 

(ia,f ,r ,w) , 

(jc,ad)) ■ lal" 

);; 


1st lack * nsv.dsf inition 

( 'lack' , 

”!(ax:bool) (ah:bt2) (al:bt4) (ma mb pc r v ia f:bool) 
(aam cam ais cis lef lvf Inf lzf lal: bool) 

(tg:bt3) (sa:bt3) (ab:bt2) (jc:bt3) (ad:bt6) . 
lack ( (ax , ah , al ,mb, ma , pc , tg , aa , ab ) , 

(aam, cam, sis, cis, lef ,lvf , Inf , lzf , lal) , 

(ia,f ,r,w), 

( jc ,ad) ) - ia” 

);; 

1st Ft eh ■ ns v.dsf inition 

( *Ftch' , 

"! (ax: bool) (ah:bt2) (al:bt4) (ma mb pc r a ia f:bool) 
(asm cam ais cis lef lrf Inf lzf lal: bool) 

(tg:bt3) (aa:bt3) (ab:bt2) (jc:bt3) (ad:bt6) . 

Ftch ((ax.ah.al.nbpmajpc.tg^atsb) , 

(aam, cam, ais, cis, lef , lrf , Inf , lzf , lal), 

(ia,f ,r,w), 

( jc ,ad) ) - f" 

);; 

1st Rd ■ nsv.dsf inition 

('Rd 4 , 

44 ! (ax: bool) (ah:bt2) (al:bt4) (ma mb pc r v ia f:bool) 


O 
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(... CM ai. Ci. Id lTf tal Izf 

(tg:bt3) (aa:bt3) (ab:bt2) (jc:bt3) (ad:bt6) 

Rd ((ax,sh,al ,sb,ma,pc,tg,sa,sb) » 

f»*«.esm*si«,cia,lcf ,lvl ,lnl ,lzf ,lal) , 


(ia,f ,r ,w) * 
(jc.ad)) * r" 


l#t Wr * naw.def inition 


( »K«:bool) (ah:bt2) (al:bt4) (ma *b pc r i i» i:bool) 
(... cm ai. ci. lei lvf in 1 lzf 
(tg:bt3) (sa:bt3) (ab:bt2) (jc:bt3) (ad:bt6) . 

Wr ((ax.ah.al.nb.aa.pc.tg.aa.ab), 

(earn, cam, ai.,ci., lcf ,lvf ,lnf ,lzi ,lal) , 

(ia,f ,r,*). 

( jc ,ad) ) * 


let Cond ■ naw.dal inition 

( ' Cond ' , , . , ,s 

•••(«x:bool) (ah:bt2) (al:bt4) (ma mb pc r a ia i:bool) 

(... cm ai. ci. lei It! inf Izi 

(tg:bt3) (aa:bt3) (ab:bt2) (jc:bt3) (ad:bt6) . 

Cond ((ax,ah,al,mb,ma,pc,tg,aa,ab) , 

(sBm,csm,si.,ci« .lcf ,lvf ,lnf .lzf ,lal) , 

(ia,f ,r ,w) , 

(jc.ad)) * jc” 


let Address ■ nsw.dsf inition 

(‘Address', ... 

« i (az:bool) (ah:bt2) (al:bt4) (ma mb pc r ■ ia f.bool) 

(mam cam ai. ci. lcf lvf Inf lzi lal:bool) 

(tg:bt3) (aa:bt3) (ab:bt2) (jc:bt3) (ad:bt6) . 

Addr.aa ((ar,ah,al,mb,ma,pc,tg,aa,ab) , 

(ss» ,cs», sis, cie.lcf.lv*, In* ,lz* ,lal) , 

(ia,*,r,w), 

(jc.ad) ) * ad” 

);; 


closajthaoryO ; ; 


3.5*3 The Phase— Level Interpreter 

The section presents the ML code that creates the theory phase.def.th. 
X 


Pile: 

Author : 

Date: 

Hodif iad : 
Description: 


def .phase. ml 

(c) P. J. Vindley 1990 

18 JAN 90 

06 MAY 90 


Defines the behavioral description of the phase level 
interpreter. 


% 

set_search_path (search_path() C [ '/nuztag/home/windley/hol/tactics/' ; 

'/nuztag/hone/wiadley/hol/nl/' ; 

]>;; 

let Library_Root * ' /nuztag/hone/windley/hol/Library/ ' ; ; 

set .sear ch_path 

(search.pathO C 

(nap (concat Library ..Root) 

C* tuple/ ' ; 'decimal/ 1 ; 'assoc/'] ) ) ; ; 

loadf 'abstract ‘ ; ; 

system */bin/m phase. del . th‘ ; ; 

new.theory ‘phase.def * ; ; 

map new.parent ['npc.def ' ; 'aux.def * ; 'tuple ' ; 

‘aux.thns' ; 'regs.def ' ; ' junp.def ' ; 

'ucode.def '] ; ; 

let rep.ty ■ abstract.type 'aux.def 'opcode';; 

X 

Denotations! descriptions of phase level instructions. 

% 

let phase_one.de f » nev.def inition 
( 'phase, one _def ' , 

M ! (rep: *rep_ty) (reg: (*wordn) list) (mem: enenory) 

(psv pc ivec ir mar mbr alatch blatch: *wordn) 

(npc:bt6) (clk:bt2) (urom:num->ucode) (mir:ucode) 

(ireq.ff iack.ff int_e:bool). 

phase.one rep (reg, psw, pc, mem, ivec, ir, mar, mbr, npc. 
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alatch, blatch, iraq.fl, iack.fi, air, uroa, elk) 
(int_e) * 

l«t naw.air - uroa (bt6.val ape) and 
naw.iraq .11 * int.a and 
nav.clk * (F ,T) in 

(rag, paw, pc, aaa, ivac, ir, aar, abr, ape, 
alatch, blatch, naw.iraq.ff, iack.lf, naw.air, uroa, nav.clk) 




lat phasa.two.daf * naw.daf inition 
( 'phaaa.two.daf 1 , 

••I ( r# p ; *rap_ty) (rag: (wordn) list) (aaa:*aaaory) 

(paw pc ivac ir aar abr alatch blatch:* wordn) 

(apc:bt6) (clk:bt2) (uroa: nun- >ucoda) (nir:ucoda) 

(iraq.il iack.fl int_a:bool). 

phaaa.tvo rap (rag, paw, pc, aaa, ivac, ir, aar, abr, ape, 

alatch, blatch, iraq.fl, iack.lf, air, uroa, elk) 

(int.a) - 

lat naw.alatch - ( N , 

((SreA air) - (F,F,F) ) «> (EL (rag.lan rap (area rap xr)) rag) 

( (SreA air) • (F,F,T) ) *> (EL (rag.lan rap (daat rap ir) ) rag) I 

((SreA air) - (F ,T,F) ) «> (SSP.REG rag) I 

((SreA air) * (F,T,T)) *> paw I 

((SreA air) * (T,F ,F) ) -> (wordn rap 2S5) I 

pc) in 

lat naw.blatch * ( % N v , 

((SreB air) » (F,F) ) -> (EL (rag.lan rep (sreb rap ir)) rag) I 

((SreB Bir) « (F,T) ) -> (int.latch rap ivac) I 

(inn rap ir) ) in 
lat naw. iack.lf ■ lack air and 
naw.clk - (T,F) in 

(rag, psw, pc, aaa, ivac, ir, aar, abr, ape, 
naw.alatch, naw.blatch, iraq.fl , naw_iack.il, 
air, uroa, nav.clk)" 

lat phaaa.thraa.daf ■ naw.dalinition 
( ‘phasa.thraa.daf 1 , 

11 ! (rap: ~rap_ty) (rag: (awordn) list) (aaa: anaaory) 

(p®w pc ivac ir aar abr alatch blatch:*wordn) 

(ape :bt6) (clk:bt2) (uroa :nua->ucoda) (air:ucoda) 

(ixaq.ll iack.lf int.a:bool). 

phaaa.thraa rap (rag, paw, pc, aaa, ivac, ir, aar, abr, ape, 

alatch, blatch, iraq.il, iack.il, air, uroa, elk) 

(int.a) * 

lat nav.aar - (((Paux air) /\ (Mar air)) -> pc I aar) and 
nav.clk ■ (T,T) in 

(rag, paw, pc, aaa, ivac, ir, nav.aar, abr, ape, 
alatch. blatch. iraq.il, iack.ii . bit, uroa. na»_clk)" 

);: 


t — 

A law auxilliary definitions 


■X 



lat ALU.FUIC ■ naw.daf inition 
('ALU.FUHC' , 

°* (rap: “rap.ty) s a. input blatch carry. in 
ALU.FUIC rap a a. input blatch carry. in ■ 


((• 

■ 

(F.F.F.F)) 

«> 

(add 

rap 

(• 

m 

(F.F.F.T)) 

■> 

(addc 

rap 

(• 

m 

(F.F.T.F)) 

■> 

(inc 

rap 

(• 

m 

(F.F.T.T)) 

»> 

(sub 

rap 

(• 

m 

(F,T,F,F)) 

»> 

(subc 

rap 

<» 

m 

(F.T.F.T)) 

-> 

(dac 

rap 

(» 

m 

(F.T.T.F)) 

*> 

(band rap 

(s 

m 

(F.T.T.T)) 

*> 

(bxor 

rap 

(« 

m 

(T.F.F.F)) 

*> 

(bor 

rap 

(• 

m 

(T.F.F.T)) 

*> 

(bnot rap 
a.input) n 


.input , blatch, carry. in)) 


.input) | 




lat ALU.CARRY.FUHC * naw.daf inition 
( ‘ALU.CARRY.FUHC 1 , 

** * (rap: ~rap.ty) switch in.A in.B cin . 

ALU.CARKY.FUNC rap switch in.A in.B cin ■ 

((switch * F.F.F.F) -> 

addp r ap( in. A, in.B, add rap (in.A , in.B) ) | 
(switch « F,F,F,T) *> 

addcp rap (in.A, in.B t addc rap (in.A, in.B, cin) ) I 
(switch - F,F,T,F) *> 
addp rap(in_A,wordn rap 0,inc rap in.A) I 
(switch * F,F,T,T) -> 
subp r ap( in. A, in.B, sub rap (in.A , in.B) ) I 
(switch « F,T,F,F) -> 

subp rap (in.A, in.B, subc rap (in. A, in.B ,cin) ) I 
(switch - F,T,F,T) -> 
subp rap(in_A,wordn rap 0,dac rap in.A) \ 

F)" 

);; 


lat ALU.OVFL.FUHC * naw.daf inition 
( ' ALU.OVFL.FUHC * , 

**■ (rap: “rap.ty) switch in.A in.B cin , 

ALU.OVFL.FUNC rap switch in.A in.B cin * 

((switch - F,F,F,F) -> 

aovfl rap ( in.A , in.B , add rap (in. A, in.B) ) I 
(switch - F,F,F,T) •> 

aowfl rap ( in.A , in.B ,addc rap (in.A, in.B ,c in ) ) I 
(switch - F,F,T,F) *> 

F I 

(switch - F,F,T,T) -> 
sotII rap (in. A, in.B ,sub rap (in. A, in.B)) I 
(switch - F,T,F,F) »> 

sorfl rap (in. A, in.B, subc rap(in_A,in_B,cin) ) 1 

F)" 


lat ALU.IEG.FUIC ■ naw.daf inition 
( ' ALU.IEG.FUIC * , 
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•• ! (rsp: ~rsp_ty) switch in.A in.B 
ALU.NEG.FUNC rap switch in.A in 
nsgp rsp 

((switch * F,F,F,F) *> 
sdd rap (in. A, in.B) I 
(switch * F,F,F,T) *> 

sddc rap (in.A , in.B ,cin) I 
(switch * F,F,T,F) *> 
inc rsp in.A I 
(switch* F,F,T,T) *> 
sub rsp ( in_A , in.B ) I 
(switch ■ F,T,F,F) ■> 

subc rap ( in.A , in.B , cin) I 
(switch - F,T,F,T) *> 
dsc rsp in.A I 
(switch* F,T,T,F) *> 
band rap (in.A , in_B) I 
(switch * F,T,T,T) ■> 
bxor rap (in. A, in.B) I 
(switch ■ T,F,F,F) *> 
bor rsp (in. A, in.B) I 
(switch * T,F,F»T) *> 
bnot rsp in.A I in.A)" 

);; 

1st ALU.ZERO.FUNC * naw.daf inition 
( 1 ALU.ZERO.FUNC ‘ , 

« i (rap:~rsp.ty) switch in.A in_ 
ALU. ZERO. FUN C rsp switch in.A 
zsrop rsp 

((switch * F.F.F.F) -> 
add rap (in. A, in.B) I 
(switch * F,F,F,T) *> 

addc rap (in. A, in.B, cin) 
(switch * F,F,T,F) ■> 
inc rsp in.A I 
(switch * F,F,T,T) ■> 
sub rsp (in.A, in.B) I 
(switch * F,T,F,F) ■> 

subc rsp ( in.A , in.B ,c in) 
(switch ■ F,T,F,T) “> 
dsc rsp in.A I 
(switch * F,T,T,F) ■> 
band rsp (in.A, in.B) I 
(switch * F,T,T,T) *> 
bxor rsp (in. A, in.B) I 
(switch * T,F,F,F) *> 
bor rsp (in.A, in.B) I 
(switch * T,F,F,T) *> 
bnot rsp in.A I in.A)” 

);; 

1st SHIFTER.FUNC * nsw.daf inition 
( * SHIFTER. FUIC 1 , 

•• ! (rsp: “rsp.ty) switch in.A . 


cin . 

.B cin * 


B cin . 
in.B cin 


SHIFTER.FUIC rap witch in.A - 
((switch ■ F,F) *> 
shl rap in.A | 

(switch * F,T) *> 
shr rap in_A I 
(switch - T,F) -> 

ur rsp in. A I in. A) 11 

>;; 

1st SHIFTER.CARRY.FUIC * naw.daf inition 
( * SHIFTER.CARRY.FUIC 1 , 

•• ! (rsp: “rsp.ty) switch in.A . 

SHI FTER. CARRY. FUIC rsp switch in.A - 
((switch ■ F,F) ■> 
asb rsp in.A I 
(switch ■ F,T) ■> 

Isb rsp in.A I 
(switch * T,F) ■> 
lsb rsp in.A I F)“ 

);; 

1st phasa.f our.daf * nsw.dsf inition 
( 'phass.f our.dsf 1 , 

M ! (rsp: “rap.ty) (rag: (swordn)list ) (asa: saaaory) 

(psw pc ivsc ir ur »br alatch blatch: *wordn) 

(apc:bt6) (clk:bt2) (uroa:nua->ucods) (mir:ucods) 

(iraq.ff iack.ff int.s:bool). 

phasa.f our rsp (rag, psw, pc, asa, ivsc, ir, mar, abr , ape, 

alatch, blatch, irsq.ff, iack.ff, air, uroa, elk) 

(int.s) - 

1st a.input - ((Aaux air) ■> abr I alatch) in 
1st carry .in ■ (gst.cf rsp psw) in 
1st alu.rssult * 

ALU.FUHC rsp (Alu air) a.input blatch carry.in in 
1st cf ■ 

ALU. CARRY .FUIC rsp (Alu air) a.input blatch carry.in in 
1st wf * 

ALU.OVFL.FUIC rsp (Alu air) a.input blatch carry.in in 
1st nf * 

ALU. IEG .FUIC rsp (Alu air) a.input blatch carry.in in 
1st rf - 

ALU. ZERO. FUIC rsp (Alu air) a.input blatch carry.in in 
1st rssult - SHIFTER. FUIC rsp (Shift air) alu.rssult in 
1st shft.c - SHIFTER.CARRY.FUIC rsp (Shift air) alu.rssult in 
1st ope • (opcods rsp ir) in 
1st is * (gst.is rsp psw) and 
sa ■ (gst.sa rsp psw) in 
1st nsw.psw ■ ( 

( ( (Trgt air) ■ (F,T,F)) /\ sa) »> rssult I 
(ak.psw rsp ( 

( (S.sa air) -> T I (C.sa air) -> F I sa) , 

((S.is air) »> T I (C.is air) -> F I is), 

((Ld.y air) ■> rt I (gst.rf rsp psw)), 

( (Ld.n air) ■> nf I (gst.nf rsp psw)), 

((Ld.c air) ■> ((Care air) ■> cf I shft.c) I (gst.cf rsp psw)), 
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((Ld.z -ir) -> zf I (g**-** r *P “ 

let ne*_reg * ( 

<r.g_l.n r.p (d.zt rep ir» r.g r.zult) I 

(CTrgt -ir) - (F.F.T)) -> 

(UPDATE.REG rep pew ssp.reg r# S r#sul ' 

reg) in 

1#t n ^c'SlT -pc opc (Address -ir) (Cond »ir) ir.q « i« »> *» 

S -> " 

let new.pc - ( 

( (Trgt -ir) - (T.F.F)) -> result I 

(((Trgt -ir) - (T.F.T)) /\ j*P> “> *•«« I pc) » 

1#t ^Rd Bir) -> (fetch rep (■•*. address rep *-r)) I 
(Mbr -ir) *> result I 

■br ) in , N 

1« ... ..r - «-(P.ux .ir) A OI«r ■!*» -> r..»l« I *•*> “ 

1., . «.r .id -> .««• x.p 

| sen) in 

1 ’(n*.!rlg! ne^M.^a-.pe. iv.c. n- 

ne»_-br , n«w_«pc , -latch, bl-tch, xr*q_ 1 ■ llc - 
uron» oes_clk) n 

);; 


1 

Selector function on 

counter . 


phase level state for the phase level 




lat GetPhaseClock - nes.definition 

(‘GetPhaseClock 1 , , . 

•• i (rep:"rep_ty) (reg: (*«ordn)list) (— :*.« ory) 

G^p’«’.ao*i k rlp “u!'p«.’pp. ••»■ : b J; M 

-latch, blatch, ireq.f f . laek.ti, mir, 

(int_e) » elk" 


lat PhaseClockBegin - ne«_definition 
(‘PhaseClockBegin 1 , 
"PhaseClockBegin “ F.F" 

);; 

*Sttbstate the phasestat. to the 

let Phase_Substate ■ ne«_def inition 
(‘Pha.se. Subs tat# * » 



°! (rap: "rap.ty) (rag: (awordn)list) (aanranaaory) 

(p*w pc ivac ir mar abr alatch blatch:*wordn) 

(ape :bt6) (clk:bt2) (uron:nu»->ucoda) (air:ucoda) 

(iraq.ff iack jtt int_a:bool). 

Phasa.Substata rap (rag, psw, pc, aaa, iyac, ir, aar, abr, ape, 
alatch, blatch, iraq.ff, iack_ff, air, uroa, 
elk) - 

(rag, paw, pc, aaa, ivac, ir, aar, abr, ape) ° 

) 1 1 

X 

I ••rras as tha substata fun t ion sine a tha stata 

of tha phasa laral is aquivalant to tha phasa of tha EBM. 

I also sarvas as tha subanv function sinca tha sat of axtarnal 
linas in tha phasa laval is tha Sana as tha sat of axtarnal 
linas in tha EBM . 



closa.thaory 0 ; ; 
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3.5.4 The Phase-Level Proof 

The section presents the ML code that creates the theory phase. th. 


I 

File : «k .phase. al 

Author: (c) P. J. Bindley 1990 

Date: 19 JAB 90 

Modified: 

Description: 

Dofinos tb« phase level interpreter in teras o f the definitions 
in block.def .th, phase.def .th, and gen_I.th. 

Proves the lennas Meeting the theory obligations for the abstract 
theory gen.I.th and instantiates a proof of the phase level in 
terns of the EBM . 

% 

set_search_path (search.pathO « [‘/■uztag/home/windley/hol/tactics/‘ 

1 / muzt ag/home / * indley /ho 1/ al / * ; 

]);; 

let Library.Root * * /auztag/hoae/w indie y/hol/Libr ary/ * ; ; 

set .sear ch.path 

(search.pathO € 

(»ap (concat Library .Root) 

[* tuple/ 1 ; ‘decimal/ * ; * assoc/ * ] ) ) ; ; 


load! ‘abstract*;; 
systea ‘/bin/rm phase.th 1 ;; 
new. theory ‘phase* ; ; 

map new.parent [*gen_I* ; * phase.def * ; *block_def ] ; ; 

let GetPhaseClock - definition ‘phase.def* ‘GetPhaseClock*;; 

let phase. one _def * EXP AED. LET. RULE ( 

def init ion * phase.def * * phase .one .def * ) ; ; 

let phase.two.def m EXP ABD. LET. RULE ( 

definition ‘phase.def* ‘phase.two.def*);; 


let phase. three.def - EXP ABD. LET .RULE ( 



definition ‘phase.def* * phase. three.def * ) ; ; 
let ALU.FUNC - definition ‘phase.def* ‘ALU.FUNC';; 
let ALU.CARRY.FUNC - definition ‘phase.def* ‘ALU.CARRY.FUNC*;; 
let ALU.OVFL.FUMC - definition ‘phase.def* * ALU.OVFL.FUNC* ; ; 
let ALU.IEG.FUHC - definition ‘phase.def* * ALU.IEG.FUNC * ; ; 
let ALU.ZERQ.FUNC - definition ‘phase.def* ‘ ALU. ZERO. FUNC* ; ; 
let SHIFTER.FUWC - definition ‘phase.def* ‘SHIFTER.FUMC* ; ; 
let SHI FTER. CARRY. FUN C - definition ‘phase.def* ‘SHIFTER.CARRY.FUNC* 
let phaae.f our.def ■ definition ‘phase.def* ‘phase. f our.def * ; ; 
let phase. four. expanded * EXP AND. LET. RULE phase _f our.def ; ; 
let EBM. expanded * 

REVRITE.RULE [definition ‘block.def‘ ‘IVEC.SPEC*] 

(theorea *block_def‘ *EBM_ expanded* ) ; ; 

let GetEBMClock - definition ‘block.def* ‘GetEBMClock ‘ ; ; 

let EBM.Start * definition ‘block.def' ‘EBM.Start*;; 

let Next ■ definition ‘tiae.abs* ‘Next*;; 

let Teap.Abs. DEGENE RATE * theorem ‘tiae.abs* ‘Teap.Abs.DEGENERATE * ; ; 
loadf ‘tuple 1 ;; 

nap autoload. theory [‘npc.def ‘ ; ‘alu.def ‘ ; ‘shift.def ‘] ; ; 
let rep.ty ■ abstract. type ‘aux_def‘ ‘opcode*;; 
let I.rep.ty * abstract.type ‘gen.I* ‘Iapl‘;; 
let Phase.state * 

H : ((*wordn)list#*wordn#*wordnf*meaory# 
eeordnf *wordn#*»ordn#*wordnfbt6# 

♦wordn#ewordn#bool#bool*ucode#(nu*->ucode)#bt2) u ; ; 
let Phase.env ■ " :bool";; 
let EBM.state * Phase.state;; 
let EBM.env * Phase.env; ; 

X 

Define the phase level interpet er in terms of the generic 
interpreter definition. 

x 


104 



let Phase.Int.def - nes.definition 

( -M h (r!prr^!ty) (s : tine->-Pha.e_stete) (a:ti»->-Phms._snY> 
Phase.Int rep s • " 

IITERP 

([(F.F) .phasa.ona r# P ; 

(F.T).phase.two rep; 

(T ,F) .phase.three rep; 

(T.T) .phase.! our rap] , 

^GatPhasaClock rap: -Phase_.tate->*Phas._enY->bt2) . 

(I: *EBM_state->*Phase_state) , 

(I : *EBM env->*Phase_env) , EBM rap, 

(GetEBMClock rap: 'EBM_state->*EBH_enT->bool) . 
EBH.Start, «x:ona.F) s a" 

):; 


l«t Phase.Int « save.thm 
(‘Phase.Int ‘ , 

BETA.RULE ( 

EIPAKD.LET.MJLE 

(instant iate_abstract.de! inition 

‘gan.I‘ 

‘IITERP' 

Phasa.Int.daf )) 




PHASE.Int - 
|- !rap s a. 

Phase. I rap s a » 


(!t. 

s(t + 1) - 

SID 

(EL 

(bt2_Yal(GetPhaseClock(s t)(a t))) 

[(F,F) .phasa.ona rap; (F ,T) .phase.two 
(T,T) .phase.loux rap]) 


r ap ; (T , F ) .phasa.thraa rap; 


(s t) 
(a t)) 


Run time: 84.5s 

Intermediate theorems generated: 1527 


let Phase.Int.Inst .Correct .dal - nes.delinition 

( ‘Phasa.Int .Inst. Correct .dal ‘ , 

«'! (rap: "rep.tjr) s’ a’. 

P has e. Int Inst .Correct rap s’ a’ ■ 
IKST.CORIECT 

( [(F,F) .phasa.ona rap: 

(F,T) , phasa.two rap; 

(T.F) .phasa.thraa rap; 

(T.T) .phase.four rap] , 


105 


bt2_ral, 

(GatPhasaClock rap: *Phasa_Btata->*Phasa_anv->bt2) , 
(I : ‘EBM_stata->*Phas8_Btata) , 

(I : 'EBM_8nv->'Phaja_anv) , EBM rap, 

(GatEBMClock rap: *EBM_stata->‘EBM_anv->bool) , 
EBM.St art , #i:on*.F) s’ 


lat Phaa*_Int_ Inst _Corr act » 
lat Phasa.Int.EIT - 

COIV.RULE (TOP.DEPTH.COMV FUI.EQ.COMY) Phasa.Int Inst Corr.ct d.f in 
(REWRITE.RULE [I.THM] ( 

BETA. RULE ( 

EIPAID.LET.RULE ( 
instant iata.abstract.daf init ion 
‘gan_I‘ 

‘ IIST.CORRECT* 

Phasa.Int.EIT)))); ; 


X 

Phasa_Int_Inst_Corract ■ 

I- trap s' •’ p. 

Phasa.Int.Inst.Corraet rap s ’ a ’ p « 

EBM rap s’ a’ “> 

(!t. 

(GatPhasaClock rap(s’ t)(a’ t) » FST p) /\ 
(GatEBMClock rap(s’ t)(a’ t) « EBM Start) ™ 
(?c. 

Iaxt(\t’. GatEBMClock rap(s ’ t’)(a’ t’) « 
(SMD p(s * t) (a ’ t) - s’(t + c)))) 

Run tima: 203.9s 

Intanadiata thaoraas gaaaratad: 2744 


■> 

EBM_Start)(t,t + c) 


/\ 


X 


lat IEXT.LEMMA - TAC PROOF 

((□, 

"!t. t < (t + 1) /\ (!t ’ . '(t < t’ /\ t’ < (t + 1)))"), 
REPEAT GEI.TAC 
THEM CDHJ.TAC 
THEKL [ X 1 X 

REVRITE.TAC [STM.RULE ADD 1 ; LESS TTOQ 

; X 2 X 

REWRITE.TAC [LESS_LESS_SUC;STM RULE ADD1] 

] 

);; 

lat IOT.IF.LEMKA - TAC PROOF 

((D. 

"! x y (a b c : **ordn) . 

(('x A y) ■> (x “> a | b) 

I c) - 

((** A y) *> b I c)") , 

REPEAT GEI.TAC 

THE! BOOL. CASES _TAC *x" 
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THE! REVRITE.TAC [] 

);; 

let IF.OR.LEMMA « TAC.PROOF 

((□. 

"! x y (a b:*wordn) . 

(x *> * I 
j *> i I b) * 

((x V y) -> a I b)"). 
REPEAT GEH.TAC 
THE! BOOL_CASES_TAC "x" 
THE! REHRITE.TAC [] 

);; 


Causa thasa to ba raad in now so that wa can delate the cache 


THO.TUPLE.VALUE.LEMMA ; ; 


THREE.TUPLE.VALUE.LEMMA; ; 

K 

Get rid of sons bulk 


let ALU.FUHC.LEMHA « 

REHRITE.RULE [SYM.RULE ALU.FUHC] HAC2.0UT .LEMMA; ; 


let ALU.CARRY.FUHC.LEMMA » 

REHRITE.RULE [SYM.RULE ALU.CARRY.FUIC] MAC 2.CARRY .LEMMA; ; 


let ALU.OVFL.FUHC.LEMMA - 

REHRITE.RULE [SYM.RULE ALU.OYFL.FUHC] MAC2.0VFL.LEMMA; ; 


let ALU.IEG.FUHC.LEHMA - 

REHRITE.RULE [SYM.RULE ALU.HEG.FUHC] MAC2.HEG.LEMMA; ; 


let ALU.ZERO _ FUH C _ LEMMA - 

REHRITE.RULE [SYM.RULE ALU. ZERO. FUHC] MAC2.ZER0.LEMMA; ; 


let SHIFTER .FUHC .LEMMA - 

REHRITE.RULE [SYM.RULE SHIFTER.FUIC] SHIFTER.OUT.LEKMA ; ; 


let SHIFTER.CARRY. FUHC .LEMMA « 

REHRITE.RULE [SYM.RULE SHIFTER.CARRY.FUHC] SHIFTER.CARRY.LEMU 

M p (dalata.cacha o fst) (cached.theoriesO) ; ; 

let PHASE.OHE.EBM.LEMMA - TAC.PROOF 

" ! (rap: *rep_ty) (reg:ti»e->(*wordn)list) (»aB:ti*a~>**a*ory} 
(psw pc ivac ir sax »br alatch bletch: ti»e->*wordn) 
(■pc:ti»e->bt6) (clk:ti*e->bt2) (uroB:nu»->ucode) 

(■ir : ti*a->ucoda) 

(iraq_ff iack_ff iraq.a : ti*a->bool) . 



Phasa.Int.Inst .Correct rap 

(\t.(rag t, paw t, pc t f nan t, ivac t, 
ir t , Bar t , mbr t , ape t , 
alatch t, blatch t, iraq.ll t, 
iack.li t, mir t, uron, elk t)) 

(\t. (iraq.a t)) 

( (F,F) »phaaa_ona rap)")* 

PURE.OICE_REWRITE.TAC [Phaaa.Int.Inat.Corract] 

THEH REPEAT GEI.TAC 
THE! BETA.TAC 

THEM REWRITE.TAC [GatPhaaaClock;Iaxt ; 

GatEBHClock ; EBM.St art ; phaae.ona.dal ; ] 

THEI SUBST.TAC [EBM.axpandad] 

THEM REPEAT STRXP.TAC 

THEE POP.ASSUM.LIST (\aal. (KAP.EVERY (STRIP .ASSUME.TAC o SPEC.ALL) asl)) 
THEI EIISTS.TAC "l" 

THEI ASM. REWRITE.TAC [PAIR.EQ; HEXT. LEMMA] 


lat PHASE.TWO.EBM_ LEMMA * TAC.PR00F 

(([], 

" ! (rap: “rap.ty) (rag : tina-> (*wordn) list ) (nan; tina->*aanory) 

(psv pc ivac ir mar abr alatch blatch: tiaa->*wordn) 

(mpe : tima->bt6) (elk: tina->bt2) (uron:nu»->ucoda) 

(mir : tiaa->ucode) 

(iraq.il iack.li iraq_a:tina->bool) . 

Phaaa.Int.Inat.Corract rap 

(\t.(rag t, psw t, pc t, aan t f ivac t, 
ir t , aar t , abr t , ape t , 
alatch t, blatch t, iraq.ll t, 
iack.li t, air t, uro», elk t)) 

(\t. (iraq.a t)) 

((F,T) ,phaaa_two rap)' 1 ), 

PURE. 01 CE.RE WRITE. T AC [Phaaa.Int.Inst.Corract] 

THEI REPEAT GEI.TAC 
THEI BETA.TAC 

THEI REWRITE.TAC [GatPhasaClock;Iaxt ; 

GatEBMClock ; EBM.St art ; phaaa.two.dal ; ] 

THEI SUBST.TAC [EBM.axpandad] 

THEH REPEAT STRIP.TAC 
THEI POP.ASSUM.LIST (\asl. 

MAP .EVERT (STRIP. ASSUME.TAC o SPEC.ALL) asl) 

THEI EIISTS.TAC "l" 

THEI ASH. REWRITE.TAC [PAIR.EQ ; IEXT.LEHMA] 

THEI COIJ.TAC 
THEIL [ 

ASSUM.LIST (\asl . 

lat lind.aaalact.tara ta ■ ( 

lat (x,y) ■ (daat.aq ta) in 
(x - "(aaalact t):bt3")) ? lalaa in 
UIDISCH.TAC (concl (hd (liltar ((f ind.aaalact.tam) o cond) 

aal) ) ) ) 

THEI STRUCT.CASES.TAC (SPEC "SrcA(nir t):bt3" THREE.TUPLE.VALUE.LEMMA) 

THEI STRIP.TAC 

THEI POP.ASSUM.LIST (\aal . 
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let iind.aselect.term tm - ( 

let (w, (y , (x,z) ) ) - (I * (I * dest.eq)) 

((I * dest.eq) (dest.forall t*)) in 
(x » "(aselect t) :bt3") ) ? false in 
let SPEC.t x - (SPEC "t:ti*e" x) ? x in 
lat asalact.list * 

(filter ((lind.asalact.tarm) o concl) (tl asl)) in 
l#t rast * subtract (tl asl) asalact.list in 
lat asalact.thms * 

map ( REWRITE .RULE [hd asl; PAIR.EQ] o SPEC.ALL) asalact.list in 

MAP .EVERY N . 

(CHECK. ASSUME.TAC o (REWRITE.RULE asalact.thms) o SPEC.t) 

(raw rast) 

THEM MAP .EVERY ASSUME.TAC asalact.thms) 

THEH RES.TAC 

THEN ASM.REVRITE.TAC [PAIR.EQ] 

» 

ASSUH.LIST (\»sl . 

let f ind.bselect.term tm * ( 

let (x,y) - (dest.eq t*) in 
(x - " (bselect t):bt2")) ? false in 
UHDISCH TAC (concl (hd (iilter ((f ind.bselect.term) o concl) 

881 )))) 

THEH STRUCT_CASES_TAC (SPEC "SrcB (mir t):bt2" TVO.TUPLE.VALUE.LEMMA) 

THEH STRIP _TAC 

THEH POP.ASSUM.LIST (\asl . 

let iind.bselect.tem tm ■ ( 

let (w,(y,(x.z))) - (I * (I # dest.eq)) 

((I t dest.eq) (dest.forall tm)) in 
(x - "(bselect t):bt2")) ? lmlse in 
let SPEC.t x - (SPEC "tttime" x) ? x in 
let bselect.list » 

(iilter ((iind.bselect.term) o concl) (tl msl)) in 
let rest * subtract (tl asl) bselect.list in 
let bselect.thms ■ 

map (REWRITE.RULE [hd asl; PAIR.EQ] o SPEC. ALL) 
bsalact.list in 

MAP. EVERY x . 

(CHECK. ASSUME.TAC o (REWRITE.RULE bsalact.thms) o SPEC.t) 

(rav rast)) 

THEN RES.TAC 

THEN ASM.REWRITE.TAC [PAIR.EQ] 

] 

);; 

lat PHASE.THREE.EBM.LEMMA - TAC.PROOF 

«• i (rap : “rap.ty ) (rag : t ima-> ( awordn) 1 i»t ) (mam : t ima->**amory ) 

(psw pc iwac ir mar mbr alatch blatch:tima->*wordn) 

(mpc :tima->bt6) (clk:tima->bt2) (urom:num->ucoda) 

(mir : t ima->ucoda ) 

(iraq.ff iack.tf iraq.a : tima->bool) . 

Phasa.Int.Inst.Corract rap 

(\t . (rag t, psw t, pc t, mam t, iwac t, 
ir t, mar t, mbr t, mpc t. 
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alatch t, blatch t, ireq.ff t, 
iack.ff t, air t, uroa, elk t)) 

(\t. (ireq.e t)) 

((T,F) ,phase.three rap)"), 

PURE.OMCE.REVRITE.TAC [Phase .Int.Inst.Correct] 

THEH REPEAT GEH.TAC 
THEM BETA.TAC 

THEM REVRITE.TAC [GetPhaseClock;Mext ; 

GetEBMClock ; EBM.St art ; phase. three.de f ; ] 

THEM SUBST.TAC [EBM.expanded] 

THEM REPEAT STRIP.TAC 

THEM POP.ASSUM.LIST (\asl. (MAP .EVERY ( STRIP. ASSUME.TAC o SPEC .ALL) asl)) 
THEM EXISTS. TAC "1" 

THEM ASM.REVRITE.TAC [PAIR.EQ ; HEXT.LOTIA] 

THEM BOOL.CASES.TAC "Paux(air t) :bool" 

THEM REVRITE.TAC [] 

);; 

let PHASE. FOUR.EBM.LEMMA » TAC.PROOF 

((□ , 

" ! (rep : ~rep_ty) (rag :tiae-> (*wordn) list) (aaa: tiae->*aeaory) 

(psw pc irac ir aar mbr alatch blatch: tiae->*wordn) 

(ape : tiae->bt6) (elk : tiaa->bt2) (uroa:nua->ucode) 

(air : tiae->ucode) 

(ireq.ff iack.ff iraq.a : tiae->bool) . 

Phase. Int. Inst. Correct rep 

(\t.(reg t, psw t, pc t, aen t, ivec t, 
ir t , aar t , abr t , ape t , 
alatch t, blatch t, ireq.ff t , 
iack.ff t, air t, uroa, elk t)) 

(\t. (ireq.e t)) 

( (T,T) , phase. four rep)"), 

PURE.OMCE.REWRITE.TAC [Phase.Int.Inst.Corract] 

THEM REPEAT GEH.TAC 

THEM BETA.TAC 

THEM REVRITE.TAC [Hext; 

GatPhaseClock; 

GatEBMClock ; EBM.St art] 

THEM SUBST.TAC [EBM. expanded] 

THEM REPEAT STRIP _T AC 

THEM POP. AS SUM. LI ST (\asl. (KAP.EVERY (STRIP.ASSUME.TAC o SPEC.ALL) asl)) 
THEM EXISTS.TAC "1" 

THEM FIRST.ASSUM 

(\tha. (ASSUME.TAC (MATCH.MP ALU. FUM C.LEMMA tha)) ? MO.TAC) 

THEM FIRST.ASSUM 

(\tha. (ASSUME.TAC (MATCH.MP SHIFTER.FUMC. LEMMA tha)) ? MO.TAC) 
THEM FIRST.ASSUM 

(Ytha. (ASSUME.TAC (MATCH.MP ALU.MEG.FUIC. LEMMA tha)) ? MO.TAC) 
THEM FIRST.ASSUM 

(\tha. (ASSUME.TAC (MATCH.MP ALU. ZERO. FUM C.LEMMA tha)) ? MO.TAC) 
THEM FIRST.ASSUM 

(\tha. (ASSUME.TAC (MATCH.MP ALU. CARRY. FUM C.LEMMA tha)) ? MO.TAC) 
THEM FIRST.ASSUM 

(\tha. (ASSUME.TAC (MATCH.MP ALU. OVFL.FUM C.LEMMA tha)) ? MO.TAC) 
THEH FIRST.ASSUM 


no 



(XthB ' ( (^:w C SHIFTER.CARRY„mC.LEMU tha)) ? IO.TAC) 
THEI ASH.REVRITE.TAC [PAIR.EQ ; IEXT.LEMHA ; 

phase.four.expanded ; 

IF.OR.LEMMA ;IOT_IF_LEMMA] 

THE* REPEAT COKJ.TAC 
THEIL [ X 1 1 

ASM.CASES.TAC "Hr (air t):bool" 

THEIL [ % 1.1 l 

POP.ASSUM (\thal . 

FIRST. ASSUM (\tha2 . ( 

ASSUHE.TAC C 

EQ.HP (SYM.RULE thm2) thal)) ? IO.TAC)) 

THE* RES.TAC 
; 1 1-2 1 
ALL.TAC 

] 

; % 2 % 

ASM.CASES.TAC "RdCair t) :bool 

THEHL [ */. 1.1 X 

POP.ASSUM (\thal . 

FIRST.ASSUM (\thia2 . ( 

ASSUHE.TAC ( 

EQ.MP (SYM.RULE th«2) thal)) ? IO.TAC)) 

THE* RES.TAC 

; */. 1.2 */. 

ALL.TAC 


THE* ASM.REWRITE.T AC [] 


);; 


^The _ f irst _ obligation of th. abstract in terp reter th.ory ^ 

1 st Phaaa.Int .Correct .LEMMA.AUI - TAC.PROOF 

( "Krep:-rep.ty) (rag : t iae-> (*»ordn) list ) (aem: tia.->*aeaory) 
(ps. pc ir.c ir .ax abr alatch blatch:ti«a->*.ordn) 

(■pc : tiae->bt6) (clk:tia.->bt2) (uroa:»ua->ucode) 

(»ir : t i*a- >uc od# ) 

(iraq.ii iack.il ir#q_a:ti»«->bool) . 

EVERY (Phas#_Int .Inst. Correct rap 

(\t. (rag t, ps» t, pc t, iw t, iTec t, 
ir t, *ar t, abr t, ape t, 
alatch t, blatch t, ireq.ff t, 
iack.ff t, air t, uroa, elk t)) 

(\t. (ireq.e t))) 

[(F,F) .phaaa.ona rap; 

(F.T) .phaaa.two rap; 

(T.F) .phase.three rap; 

(T,T) .phase.f our rap] ” ) . 

REHRITE.TAC [EVERT.DEF] 
the* REPEAT STRIP _T AC 
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THEM FIRST [ 

HATCH. AC CEP T.T AC PHASE. OIE.EBM. LEMMA ; 
HATCH. ACCEPT.TAC PHASE.TVO.EBM.LEMMA ; 
HATCH. AC CEPT.TAC PHASE. THREE.EBM.LEMMA ; 
HATCH.ACCEPT.TAC PHASE FOUR EBM LEMMA 
3 

);; 


l«t Phasa.Int. Correct .LEMMA « ( 

SPEC.ALL ( 

PURE. OICE.REVRITE. RULE [Phasa.Int .Inst .Corract.daf] ( 
Pk**«-Int.Corract.LEHMA_AUX) ) ) ; ; 


X 

Th« sacond obligation of tha abstract intarpratar thaory 

lat Phasa.Int .LEHGTH. LEMMA « TAC PROOF 

((□. 


"! clk:bt2. bt2.val elk < (LEHGTH 


MATCH.ACCEPT.TAC bt2_LEIGTH LEMMA 


t(F,F) ,phasa.ona (rap: “rap.ty) ; 
(F,T) ,phasa.two rap; 

(T # F) ,phasa_thraa rap; 

(T,T) ,phasa_f our rap])”). 


Tha third obligation of tha abstract intarpratar thaory 

% 

lat Phasa. Int .ORDER.LEMMA - TAC PROOF 

(([]. 

!clk:bt2 . elk ■ (FST (EL (bt2.val elk) [(F,F) , phasa. ona (rap : “rap.ty) ; 

(F,T) , phasa. two rap; 

(T,F) ,phasa_thraa rap; 

(T ,T) .phasa.four rap3)) M ), 

REPEAT GEI.TAC 

THE! STRUCT. CASES. TAC (SPEC "clk:bt2” TWO .TUPLE. VALUE LEMMA) 

THEM PURE .OICE.REWRITE. TAC [bt2.Yal] 

THEM COIV.TAC (TOP.DEPTB.COIV nua.COIV) 

THE! REWRITE.TAC [EL ; FST ; HD ; TL] 

);; 


X 

Gat tha instantiation 


lat thaoran.list * 

instant iat a. abstract .thaorans 
c g«n.I € 

CPhasa.Int .Corract .LEMMA ; 

Phasa. Int .LEIGTH.LIHMA ; 
Phasa.Int.ORDER U9MA] 

[ 

( u rap: ‘I.rap.ty", 

M ( C(F,F) .phasa. ona (rap: "rap.ty) ; 
(F,T) , phasa. two rap; 

(T,F) # phasa_thraa rap; 


X 
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(T.T) ,pha»«_*our rep] , 

GatPhwiciock r.p: *Pha.._»tat.->*PhM._«T->bt 2 

I : •EBM.»tata->*Phasa_stat# , 

I : - EBM_«nv->*Pbas#_«tLT , 


("•’ :ti»« 

«(\t. (irwq.w t)) :tina _ >"EBH_anT ), 

('•«’ :ti»w->*«tat«’", 

"(\t . (rag t, paw t, pc t, t, ar#c t. 

ir t. *ar t, *br t, »pc t, 

alatch t, blatch t, ireq.if t. 

’ . _ .11. *\\ state"); 


J 44 


3 

•PHASE* ; ; 




yields . . . 

thaoraa.liat * 

[( ‘PHASE.IHPL. I .CORRECT' , 

|- l#t 5 t » 

I 

<(V (r»a t’ p». t'.pe t ’ ,.*■ t\i».c t’.lr t’.«br t*. 

* • 

uron.clk t’)) 
t) 

and a t - I((\t’. (ireq.e t’ t>))t) 

and it- 

(GetEBMClock 

rap 

(<X (rag t ’ ,p»* t’.pe t’.»en t’.iwae t’.ir t’.nar t>.*br t’. 
■p! t ’ .alatch t ’ .blatch t > . ixaq.ii t ’ ,iack_ii t .mix . 
nr ob , elk t * ) ) 
t) 

((\t’. (iraq.a t* tO)t) * 

EBM.Start) 

in 

lot aba * Taap.Abs t 

in 

(EBM 

rap 

(N (r.g t.paw t.pc t,..» t.iw.c t.xr t..ar t..br t,mpc t. 

alatch t. blatch t.ir.q.fi t.iack.ii t.mir t.«ro..dk t)) 

(\t. (iraq.a t t)) /\ 

(?t. i t) *»> 

(lit) r.p] .b«2.»U.0.tPta.rtl~‘ r.p.I.I.EM «P- 

GatEBMClock rep,EBH_Start,(«x. P)) 
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(* O 4bs) 

(• o abs)))] 

: (string * tha) list 
Run tins: S26.4s 

Intsnsdiats thsorsns gsnsratsd: 3903 
x 


1st corrsct.lsaaa “ snd(hd thsorsn.list) ; ; 

1st TRUTH.EXISTS • TAC PROOF 

((□. 

"?t:tias.T") , 

EIISTS.TAC "0" 

THEM REVRITE.TAC [] 

);; 


%■ 


Rswrits ths corrsctnsss lsnaa into a prsttisr form. 


% 


1st PHASE_ LEVEL. CORRECT. LENKA - savs.tha 
( 'PHASE. LEVEL .CORRECT .LEMMA' , 

REWRITE.RULE [I.o.ID; Tsnp.Abs.DEGEHERATE; TRUTH EXISTS] ( 
EXPAHD.LET.RULE ( 

OHCE.REWRITE.RULE [GstEBMClock;EBM_Start ; I.THM] ( 

BETA.RULE ( 

ORCE.REWRITE.RULE [SYH.RULE Phass.Int dsf] correct lsnaa)))) 

);; 


X 

y ialds . . . 

PHASE.LEVEL.CORRECT.LEMMA - 
I- EBM 
rsp 

(\t. 

(rsg t.psw t.pc t.asa t.ivsc t,ir t.aar t.abr t.apc t.alatch t, 
blatch t.irsq.ff t, iack.fi t.air t.uroa.clk t)) 

(\t. Cirsq.s t t)) •«> 

Phass.Int 

rsp 

(\t. 

(rsg t.pss t,pc t.asa t.ivsc t,ir t.aar t.abr t.apc t.alatch t. 
blatch t.irsq.ff t.iack.ff t.air t.uroa.clk t)) 

(\t. (irsq.s t t)) 

Run tins: 346.7s 

Intsnsdiats thsorsas gsnsratsd: 4769 
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3.6 The Micro-Level 


This section presents the theories that 
that verifies the micro-level interpreter 


define the micro-level interpreter. Also presented is the theory 
with respect to the phase-level interpreter. 


3.6.1 The Micro-Level Interpreter 

The section presents the ML code that creates the theory micro_def .th. 




Fil«: def_aicro.nl 

Author: (e) P. J. Windl.y 1989 

Date: 05 APR 90 

Description: 

Defines the behavioral description of th. aicro interpreter 
level 


Modified: 

12 APR 90 — Changed DECODE to use only 5 lsb in opcode. 


% 


set”search_path (search.pathO • t ‘ /.urtag/hoae/windley/hol/tactic./ ' ; 

* /pnytag/hoMe/w indloy/bol/al/ » 

]);; 


X«t Library .Root - '/auztag/homa/sindlay/hol/Library/ ;; 

aat.soarch.path 

(saarch.pathO • 

(aap (concat Library .Root) 

['nuabsrs/'; 'dacimal/' ; ‘assoc/ ; tupla/ j)).. 

load 1 'abstract';; 
systai ‘/bin/ra aicro.daf .th' ; ; 
nov.thaory 'aicro.daf' ; ; 
up nov.parant C'tupla 

M p ne._par.nt [ ' aux.def * ; ‘ aux.thns ' ; ‘regs.def * ; ‘ junp.def '3 ; 5 
let rep.ty “ abstract.type ‘aux.def ‘opcode 1 ;; 
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■X 


If you change th*s* addrsssss, chang* th* list in dsf.uinst.al 

as vail . 


1st FETCH.ADDR - "(F,F.F,F,F,F)"; ; 
1st CALL_u2_ADDR « "(T.F.F.T.F.F)";; 
1st CALL_u3_ADDR « "(T.F.F.T.F.T)" ; ; 
1st CALL_u4_ADDR - "(T t F,F,T,T,F)"; ; 
1st IRT.u2.ADDR - "(T,F,F,T,T,T)"; ; 
1st IIT.u3.ADDR » " (T,F,T,F,F,F)" ; ; 
1st IRT.u4.ADDR « "(T,F,T,F,F,T)"; ; 
1st RTI_u2_ADDR - "(T.F.T.F.T.F)"; ; 
1st RTI.u3.ADDR - "(T.F.T.F.T.T)”; ; 
1st RTR.u2.ADDR - " (T,F,T,T,F,F)" ; ; 
1st LD.u2.ADDR - "(T,F,T,T,F,T)"; ; 
1st ST.u2.ADDR ■ "(T,F,T,T,T,F)"; ; 
1st ST.u3.ADDR - " (T,F,T,T,T,T)" ; ; 
1st STI.u2.ADDR « " CT,T,F,F,F,F)" ; ; 
1st EIRT.ul.ADDR - "(T.T.F.F.F.T)"; ; 
1st EIRT.u2.ADDR- " (T,T,F,F,T,F)" ; ; 
1st EIRT.u3.ADDR- "(T,T,F,F,T,T)"; ; 
1st EIRT.u4.ADDR- "(T,T,F,T,F,F)"; ; 
1st LD_u3_ADDR - "(T,T,F,T,F,T)"; ; 


X 

Micro instruction 0: fstch 

% 

1st FETCH - nss.dsfinition 
(‘FETCH.dsf ‘ , 

“! (rsp: ‘rsp.tjr) (rsg: (**ordn)list) (asa: *as>oz-y) 

(ps* pc ivsc ir a ax *br :**ordn) (apc:bt6) 

(int_s:bool) . 

FETCH rsp (rsg, ps* , pc, asm, i*sc, ir, aar, abr, ape) 
(int.s) - 

(rsg, ps*, pc, asa, i**c, ir, 

Pc. 
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fetch rep (■•*» eddress rep pc), «\\» 

((i»t_. A (get.ie rep p«)) »> ‘EIHT.ul.ADDR I •dd.btC -pc 1» 


th»( 'FETCH' .EXPMD.LET.RULE FETCH) ; ; 




Hicro instruct ion 1: is*u* 


X 


lot ISSUE ■ new.definition 
(‘ISSUE.def ', 

”! (rep: 'rep.ty) reg mem 

(psw pc ivec ir mar mbr :*wordn) (mpc:bt6) 

(int_e:bool) . \ 

ISSUE rep (reg, psw, pc. iy#c> 1X1 ' P 

(int_e) ■ 

(reg. psw, pc. mem, i™ c ' * br - 
m%r r »br, add_bt6 Mpc 1)' 


thm( 'ISSUE' ,EXPLND_LET_RULE ISSUE) ; ; 




Micro instruction 2: dscods 


X 


let DECODE “ ne*_delinition 
(‘DECODE.def ' , 

" ! (rep: *rep_ty) reg sea 

(psw pc iwec ir aar abr :*wordn) (»pc:bt6) 

(int_e:bool) . \ 

DECODE rep (reg, psw, pc, aea, ivec, ir, mar, . P 
(int.e) * 

(reg, psw, inc rep pc, aea, ivec. ir, 
aar, mbr. add_bt6 (F , (SHD(opcode rep ir))) 4) 


thm( 'DECODE' ,EXPAHD_LET_RULE DECODE) : ; 


X __ 

table entry 0: first uinst for JHP 


X 


let JMP_ul * new_def inition 
(‘ JMP_ul_def ‘ , 

»!(rep:-rep.ty) reg mem 

(psw pc ivec ir mar mbr :ewordn) (mpc:bt6) 

(int_e : bool) . * 

JMP.ul rep (reg, psw, pc, mem, ivec, ir. mar. mbr, mp 

(int_e) - . v . . 

let a - EL (reg.len rep (area rep ir)) reg and 
x * im rep ir end 
d m reg.len rep (dest rep ir) in 
let result ■ add rep (a, i) i® 
let jump.cond - JUMP.COHD rep d psw in 
(reg, psw, 

(jump.cond result I pc) , 
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b«k, ivac , ir, mar, Bbr, * FETCH _ ADDR ) " 

);; 

sava_tha('JHP.ul\EmHD_LET.RULE JHP.ul);; 

X 

tabla antry 1: first uinst for CALL 



lat CALL.ul * naw.daf inition 

('CALL.ul.daf ', 

" ! (rap: ~rap.ty) rag bob 

(psw pc ivac ir Bar Bbr :*wordn) (apc:bt6) 

(int.a :bool) . 

CALL.ul rap (rag, psw, pc, bsb, ivac, ir, Bar, Bbr, Bpc) 
(int.a) * 

(rag, psw, pc. 

Bam, ivac, ir, Bar, pc, ~CALL_u2.ADDR)° 

);; 

sav#.thB( , CALL.ul f ,EXPAJTD.LET_RULE CALL.ul) ; ; 

Xat CALL.u2 ■ naw.daf inition 
( ‘ CALL.u2.daf * , 

'* ! (rap: ~rap_ty) (rag: (awordn) list) bsb 

(psw pc ivac ir Bar Bbr :awordn) (npc:bt6) 

(int.a :bool) . 

CALL_u2 rap (rag, psw, pc, bsb, ivac, ir, Bar, Bbr, Bpc) 
(int.a) « 

1st d * rag.lan rap (dast rap ir) in 
(rag, psw, pc, 

bsb, ivac, ir, EL d rag, Bbr, *CALL.u3 ADDR) " 

);; 

•ava.thB ( 1 C ALL_u2 ' , EXP AID.LET.RULE CALL_u2) ; ; 

1st CALL_u3 * naw.daf inition 
('CALL.u3.daf \ 

" ! (rap: *rap.ty) rag bsb 

(psw pc ivac ir Bar Bbr : awordn) (npc:bt6) 

(int.a:bool) . 

CALL.u3 rap (rag, psw, pc, saw, ivac, ir. Bar, Bbr, Bpc) 
(int.a) - 

lat a » EL (rag_lan rap (area rap ir)) rag and 
i * inn rap ir in 
lat rasult ■ add rap (a, i) in 
(rag, psw, rasult, 

st ora rap (bsb, addrass rap nar, Bbr), 
ivac, ir, Bar, Bbr, * CAIX.u4.ADDR) M 

sava.thnC ' CALL.U3 * , EXFAID.LET.RULE CALL.u3) ; ; 

lat CALL.u4 ■ na w. da f inition 
( ' CALL_u4_dsf ' , 

** ! (rap: “rap.ty) rag saw 
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(p„ pc iwsc ix max nbr :*wordn) (*pc:bt6) 

(int_e :bool) . 

CALL_u4 rap (rag, psw, pc. »•■* iv * c ' 11 • ** r ’ * r ’ P 
(int.a) ■ 

l*t d » rag.lan rap (dast rap ir) in 
l«t rssult ■ inc rap (EL d rag) in 
(UPDATE REG rap psw d r*g rssult, p*». pc, 
iT*c. ir. max , nbr. * FETCH. ADDR) 11 




sa vs _thn ( ‘ CALL.U4 ‘ , EXP AID.LET .RULE CALL_u4) ; ; 

% 

tabls antry 2: first uinst for XIT 


X 


1st IIT.ul » nsw.dsf inition 
(‘IIT.ul.daf ‘ , 

•m (rsp: *rsp_ty) (rsg: (swordn)list) (.a.:s.a.ory) 

(ps* pc ivsc ir war nbr :*wordn) (*pc:bt6) 

(int e:bool). v 

IIT.ul rep (reg, psw, pc. ««, ivec. ir. nar, nbr, mpc; 

(int.e) * 


let cflag 

■ gst.cf 

rep 

psw 

and 

vflag 

» gSt.Tf 

rep 

psw 

and 

nflag 

- gst.nf 

rep 

psw 

and 

zflag 

“ gst.zf 

rep 

psw 

and 

sn 

* T and 




ie 

■ F in 





(reg i 

ak pss rsp (sn, is, vflag, nflag. cflag, zflag), 
pc'; .... ivsc, ir. nar. pc, -«T_u2.ADDR)" 




saTs_thn( ‘ IIT.ul ' , EXP AHD.LET.RULE IIT.ul) ; ; 

l*t IIT_u2 ■ nsw.dsf inition 
(*IIT_u2_dsf ' , 

«» (rsp: ‘rsp.ty) (rsg: (**ordn)list) (■•■: snsnory) 

(psw pc ivsc ir nar nbr :*sordn) (npc:bt6) 

(int.e :bool) . * 

IIT_u2 rep (reg, psw, pc, iwec, ir, »*r t ■ r, *P C 

(int.e) * 

ivac^ir, SSP.REG rsg, nbr, ‘IIT_u3_ADDR)" 

);; 

S aTS_thn( ‘ IIT_u2 ‘ , EXP AHD.LET.RULE I«T_u2);; 

1st I>T_u3 » nsw.dsf inition 
(*IIT_u3_dsf‘ , 

«! (rsp: 'rsp.ty) (rsg: (swordn)list) (nan : snanory) 

(psw pc iwsc ir nar nbr :*wordn) (npc:bt6) 

(int.#: bool) . . v 

IIT_u3 rep (reg, psw, pc, »e», iwec, ir, nar, m r, »pc 

(int.e) - 
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lat rasult * inc rap (SSP.REG rag) in 
(UPDATE.REG rap psw ssp.rag rag rasult, 
p*w, pc, m, ivac , ir, Mar, abr, * IIT.u4. ADDR) ° 

);; 

••▼•_tha ( * IIT.u3 1 , EXP AID. LET. RULE IIT_u3) ; ; 

lat IIT.u4 ■ naw.daf inition 
('IIT.u4.daf 4 , 

" ! (rap: “rap.ty) (rag: (awordn)list ) (nan: *aaaory) 

(psv pc ivac ir war abr :*wordn) (apc:bt6) 

(int.a :bool) . 

IIT.u4 rap (rag, psw, pc, iai, ivac, ir, aar, abr, ape) 
(int.a) - 

lat i * iu rap ir in 

lat rasult - band rap (wordn rap 256, i) in 
(rag, psw, rasult, 

stora rap (asa, addrass rap war, abr), 
ivac, ir, i&r, abr, “ FETCH. ADDR) " 


sava.tha( 'IiT_u4 4 , EXP AND. LET .RULE INT_u4) ; ; 


tabla antry 3: first uinst for RTI 

lat RTI.ul * naw.daf inition 
( 'RTI.ul.daf 4 , 

" • (rap: "rap.ty) (rag: (*wordn) list ) (man: *aaaory) 

(psw pc ivac ir war abr :*wordn) (apc:bt6) 

(int.a :bool) . 

RTI.ul rap (rag, psw, pc, aaa, ivac, ir, aar, abr, ape) 
(int.a) * 

lat rasult * dac rap (SSP.REG rag) in 
(UPDATE.REG rap psw ssp.rag rag rasult, 
psw, pc, aaa, ivac, ir, rasult, abr, “RTI.u2.ADDR) " 

);; 

aava.tha( ‘RTI.ul 1 , EXP AHD.LET.RULE RTI.ul) ; ; 

lat RTI_u2 * naw.daf inition 
( 4 RTI_u2.daf 4 , 

*'! (rap: “rap.ty) (rag: (awordn)list) (aaa: aaaaory) 

(psv pc ivac ir aar abr :*wordn) (apc:bt6) 

(int.a :bool) . 

RTI.u2 rap (rag, psw, pc, aaa, ivac, ir, aar, abr, ape) 
(int.a) - 

lat eflag * gat.cf rap psv and 
vflag ■ gat.vf rap psw and 
nflag ■ gat.nf rap psv and 

zflag ■ gat.zf rap psv and 

sa - F and 

ia - T in 

(rag, 

mk.psv rap (sa, ia, vflag, nflag, eflag, zflag). 
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pc. .a., i**c. iT, »ar, , 

i.tch r.p (..., addrass r.p .ar), -RTI.u3.ADDR)" 


•aaa_th»('RTI_u2‘ .EXPAHD.LET.RULE RTI.u2) ; ; 

l#t RTI_u3 - naa.daf init ion 
(‘RTI.u3.daf ‘ , 

«!(r*p:-r#p.ty) (rag: (aaordn)list) (.a.:*.a.ory) 

(psa pc ivac ir .ar *br :*aordn) (.pc:bt6) 

(int_a :bool) . v 

RTI.U3 rap (rag. paw. pc. .a., irac. ir. *ar, .br, ape) 

(r#g . .... iva=. ir. .ar, -br. " FETCH. ADDR)” 


sava_thm('RTI_u3‘ , EXP AHD.LET. RULE RTI_u3) ; ; 


tabla antry 4: first uinst for GPSV 


% 


lat GPSW.ul • naa.daf init ion 

( "K«pr«p!ty) rag .a. (psa pc ivac ir .ar .to :*»ordn) (. P c:bt6) 

(int.a:bool) . * 

GPSW.ul rap (rag, psa, pc, mam. ivac, ir, .ar, ■ r. .pc 

(int.a) ■ 

lat d ■ rag.lan rap (dast rap ir) in 
(UPDATE.REG rap psa d rag psa, 
psa, pc, .a., ivac, ir, mar, .br, "FETCH.ADDR) 


th.( ‘GPSW.ul ‘ , EXP AMD. LET .RULE GPSW.ul) ; ; 


% 

tabla antry 6: first uinst for PPSW 


X 


l#t PPSV.ui * naa.daf init ion 

'"^(rap^'rap^ty) rag ... (p«- P c ivac ir .ar .br :a.ordn) Cpc:bt6) 

(int.a :bool) . * 

PPSV.ui rap (rag, psa, pc, iir#c * ir * mar * m r * * pC 

(int.a) ■ 

l # t d - rag.lan rap (dost rap ir) and 

sn - gat.sa r#p psa in 
(rag, 

(*» «> (EL d rag) I psa) , 

pc, aaa, ir.c, ir, aar, abr, '‘FETCH.ADDR)" 


• tha(*PPSV_ul' , EXP AHD. LET. RULE PPSV.ui) ; i 


% 

tabla antry 6: first uinst for LD 
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lat LD.ul « naw.daf inition 
( ‘LD.ul.daf * , 

" ! (rap: "rap.ty) rag nan (paw pc ivac ir bat Bbr :*wordn) («pc:bt6) 
(int.a :bool) . 

LD_ul rap (rag, paw, pc, nan, ivac, ir. Bar, Bbr, mpc) 

(int.a) ■ 

lat a * EL (rag.lan rap (area rap ir)) rag and 
b ■ EL (rag.lan rap (arcb rap ir)) rag in 
lat rasult ■ add rap (a, b) in 

(rag, paw, pc. Ban, ivac, ir, raault, nbr, "LD u2 ADDR) " 

);; 

■ava.thn( ‘LD.ul * .EXPAND. LET .RULE LD.ul); ; 

X 

LD_u2_ADDR: aacond uinst for LD. 

% 

lat LD_u2 * naw_dafinition 
( r LD_u2.daf * , 

" ! (rap: ~rap.ty) rag nan (paw pc ivac ir mar nbr :a*ordn) («pc:bt6) 
(int.a : bool) . 

LD_u2 rap (rag, paw, pc, nan, ivac, ir, mar, nbr, npc) 

(int.a) « 

(rag, paw, pc, Ban, ivac, ir, Aar, 
fatch rap (nan, addrasa rap nar) , "LD u3 ADDR)" 

) ; ; 

sava.thn ( * LD_u2 ' , EXPAND. LET .RULE LD.u2) ; ; 

l 

LD-U3.ADDR: third uinat for LD, 

% 

lat LD_u3 ■ naw.daf inition 
(‘LD.u3.daf \ 

" ! (rap: "rap.ty) rag nan (paw pc ivac ir nar nbr :*wordn) (npc:bt6) 
(int.a :bool) . 

LD.u3 rap (rag, paw, pc, nan, ivac, ir, nar, nbr, npc) 

(int_a) * 

lat d ■ rag. Ian rap (dast rap ir) in 
(UPDATE.REG rap paw d rag nbr, 
paw, pc. Ban, ivac, ir, nar, nbr, "FETCH. ADDR) " 

);; 

sava.thn ( *LD.u3 ‘ , EXPAND. LET.RULE LD.u3) ; ; 

tabla antry 7: first uinst for ST 

lat ST.ul - naw.daf inition 
(' ST.ul _daf * , 

*' ! (rap: "rap.ty) rag nan (paw pc ivac ir nar nbr :*wordn) (npc:bt6) 
(int.aibool) . 

ST.ul rap (rag, psw, pc, nan, ivac, ir, nar, nbr, npc) 

(int.a) « 
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lat a - EL (rag.lan rap (area rap ir)) rag and 
b - EL (rag.lan rap (arcb rap ir)) rag in 
lat raault - add rap (a, b) in 

(„«, p». p=. — • »”=• “• * br ’ ST - u! -‘™ ) 


,aya_th.(*ST_ul* , EXP AID.LET .RULE ST.ul) ; ; 


X " 

ST.u2.lDDR: second uinst lor ST. ^ 

lot ST.u2 - new.delinition 

( *ST u2 del 4 , , x 

"! (rap:*rap_ty) (rag: (a.ordn)liat ...:a..«>ry) 

(pa. pc iyac ir »ar abr :*.ordn) (*pc:bt6) 

(int.e :bool) . \ 

ST.u2 rep (reg, ps*» P c » * TeC| ir » • ar * m 9 

(int.e) * 

lat d - rag.lan rap (dest rap ir) in 
(rag, pa., pc, »am, ivac, ir, aar, rag, 

);; 


save _tha ( * ST_u2 ' , EXP AHD.LET .RULE ST_u2) ; ; 


X 

ST_u3_ADDR: third uinst lor ST. 

lat ST u3 » na._dalinition 

r. 6 ... <P» p. i- * -= ** 

(int.e : bool) . \ 

ST_u3 rap (rag, pa., pc, aaa, ivac, ir, aar, a r, 

(rag, ( pM~ pc. atora rap (aaa, addrasa rap aar. abr) . 
i.ac, ir. aar. abr. ' FETCH. ADDR)" 

);; 


#aT a_tha(‘ST_u3‘ .EXPAID.LET.RULE ST.u3) ; ; 


tabla antry 8: lirst uinst lor LSL 


lat LSL.ul - naa.dalinition 
( ‘ LSL.ui.dal ‘ . 

•• ! (rap : “rap.ty ) (rag: (a.ordn)lUt) r mc .bt6) 

(aa»:*aaaory) (pa. pc i.ac ir aar abr f.ordn) (apc.btC) 

(int.e : bool) . . _ rsr \ 

LSL.ul rap (rag, pa., pc. aaa, i.ac, ir, aar, • 

(int.e) - . 

lat a - EL (rag.lan rap (area rap ir)) rag and 
d - rag.lan rap (daat rap ir) in 
let result ■ sbl rep a in 
lat cllag - aab rap a and 

▼Hag - gat-** rap pa. and 
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nt lag » gat.nf rap paw and 
zilag * gat.zf rap psv and 
sa * gat.sn rap psv and 

ia ■ gat.ia rap psv in 

(UPDATE.REG rap psv d rag rasult, 

Mk.psv rap (sb, ia, vflag, nflag, cllag, zf lag) , 
pc, aas, ivac, ir. Bar, Bbr, ~FETCH_ADDR) H 

);; 

•ava.thB( aSL.ul 4 , EXP AIELLET. RULE LSL.ui) ; ; 



tabla antry 9: first uinst for LSR 



lat LSR.ul • nav.daf inition 

( 4 LSR_ul_dof 4 , 

”!(rap:*rap_ty) rag bob (psv pc ivac ir Bar Bbr :*vordn) <Bpc:bt6) 
(int_a:bool) . 

LSR.ul rap (rag, psv, pc, bob, ivac, ir. Bar, Bbr, mpc) 

(int.a) - 

lat a * EL (rog.lon rap (area rop ir)) rag and 
d ■ rag.lan rop (dost rap ir) in 
lat rasult * shr rap a in 
. lat cflag * lsb rap a and 

▼flag * gat.vf rap psv and 
nflag * gat.nf rap psv and 
zf lag « got.zf rap psv and 
sb * gat.ss rap psv and 
ia ■ gat.ia rap psv in 
(UPDATE.REG rap psv d rag rasult , 

Bk.psv rap (sb, ia, vflag, nflag, cflag, zflag), 
pc, bob, ivac, ir. Bar, Bbr, "FETCH ADDR)" 

);; 


savs_thn( 4 LSR_ul 4 , EXP ASD_LET_RULE LSR.ul) ; ; 


tabla antry 10: first uinst for ASR 



lat ASR.ul ■ nav.daf inition 

(‘ASR.ul.daf 4 , 

" • (rap: "rap.ty) rag aaa (psv pc ivac ir Bar Bbr :awordn) <Bpc:bt6) 
(int.a :bool) . 

ASR.ul rap (rag, psv, pc, bsb, ivac, ir. Bar, Bbr, ape) 

(int_a) - 

lat a ■ EL (rag.lan rap (area rap ir) ) rag and 
d ■ rag.lan rap (dast rap ir) in 
lat rasult ■ aar rap a in 
lat cflag * lsb rap a and 

▼flag ■ gat_rf rap psv and 
nflag * gat.nf rap psv and 
zflag - gat_zf rap psv and 
sb - gat. sb rap psv and 

ia ■ gat.ia rap psv in 

(UPDATE.REG rap psv d rag rasult. 
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mk pa* rap (am, ia. **l*g» cllag, zflag), 

pc’ mam. i*ac, ir. mar. mbr, 'FETCH.ADDR)" 


*«T#_th»( 'ASR.ul ‘ .EXPAID.LET.RULE ASR.ul) : ; 




t«bl« antry 11: firat uinat for RTH 


lot RTI.ul - na*_daf inition 
( ‘ RTI.ul _daf‘, 

" ! (rap: *rap_ty) (rag: (amordn)list) (mam:*nanory) 

(pa* pc irac ir mar mbr :*wordn) (mpc:bt6) 

(int.e :bool) . 

RTI.ul rap (rag, pa», pc, man, itoc, ir, mar, mbr, mpc) 
(int.e) ■ 

let d * reg.len rep (dest rep ir) in 
let result ■ dec rep (EL d reg) in 
(UPDATE.REG rep psw d reg result, 

psw, pc, »en, ivec, ir, result, Mbr , ~RTH.u2.ADDR) " 

);; 

save.thn( ‘RTI.ul ' , EXP AND. LET. RULE RTI.ul) ; ; 


X 

Return through RTI_u3 to transfer nbr to pc. 


let RTH.u2 * new.def inition 
('RTM.u2.def, 

«► i (rep : *rep_ty) (reg : (ewordn) list) (mea:*nenory) 

(psw pc ivec ir nar Mbr :*wordn) (Mpc:bt 6 ) 

(int.e :bool) . 

RTI_u2 rap (rag, pa*, pc, mam, ivac, ir, mar, mbr, mpc) 
(int.e) » 

(reg, psw, 

pc. Men, ivec, ir, Max, 

letch rep (nen, address rep nar), •RTI.uS.ADDR) 11 
»aTe.thn( ‘RTI.u2 1 , EXP AMD .LET. RULE RTH.u2) ; ; 


table entry 12: first uinst for I00P (used to fill uron) 


let lOOP.ui * new.def inition 
(‘IOQP.ul.def 

»! (rap: ‘rap.ty) rag mam (pa* pc i*ac ir mar mbr :**ordn) (mpc:bt6) 
(int.e: bool) . 

lOOP.ui rep (reg, psw, pc, Men, irec, ir, mar, mbr, mpc) 

(int.e) - 

(rag, pa*, pc, mam, i*ac. ir. mar, mbr. ‘FETCH.ADDR)'' 

):: 


aaTa_tha( ‘lOOP.ui ‘ .EXPAID.LET.RULE lOOP.ui) ; ; 


X 

tabls sntry 13: first uinst for XOOP (alrsady dsfinsd) 

X 


X 

tabls sntry 14: first uinst for LDI 

Juap to LD.u2_ADDR for sscond instruction of LDI 


% 


1st LDI.ul ■ nsv.dsf inition 
( ‘LDI.ul.dsf * , 

"! (rsp: “rsp.ty) rsg (psv pc ivsc ir sar abr :*vordn) (apc:bt6) 
(int.s: bool) . 

LDI_ul rsp (rsg, psv, pc, ass, ivsc, ir, aar, abr, ape) 

(int.s) - 

1st s * EL (rsg.lsn rsp (srea rsp ir)) rsg and 
i * iaa rsp ir in 
1st rssult * add rsp (a, i) in 

(rsg, psv, pc, asa, ivsc, ir, rssult, abr, ~LD_u2_ADDR)“ 


savs_tha( ‘LDI.ul ‘ , EXP AID.LET. RULE LDI.ul) ; ; 


* 

tabls sntry 15: first uinst for S?I 
X 


1st STI.ul ■ nsv.dsf inition 
( ‘STI.ul. dsf ‘ , 

" ! (rsp: *rsp.ty) rsg asa (psv pc ivsc ir aar abr :*vordn) (apc:bt6) 
(int.s :bool) . 

STI.ul rsp (rsg, psv, pc, asa, ivsc, ir, aar, abr, ape) 

(int.s) * 

1st a ■ EL (rsg.lsn rsp (srea rsp ir)) rsg and 
i * iaa rsp ir in 
1st rssult * add rsp (a, i) in 

(rsg, psv, pc, asa, ivsc, ir, rssult, abr, ~STI_u2_ADDR)“ 


savs_tha( ‘STI.ul 1 , EXP AID .LET. RULE STI.ul) ; ; 


X 

STI_u2_ADDR: sscond uinst for STI. 

X 

1st STI.u2 ■ nsv.dsf inition 
(‘STI.u2.dsf 1 , 

" ! (rsp: “rsp.ty) (rsg: (svordn) list) (asa:*asaory) 

(psv pc ivsc ir aar abr :*vordn) (apc:bt6) 

(int.s :bool) . 

STI_u2 rsp (rsg, psv, pc, asa, ivsc, ir, aar, abr, ape) 

(int.s) * 

1st d * rsg.lsn rsp (dsst rsp ir) in 

(rsg, psv, pc, asa, ivsc, ir, aar, EL d rsg, ~ST.u3.ADDR)" 

);; 


savs_tha( *STI_u2 ' , EXP AID. LET. RULE STI.u2); ; 
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7 

ttbl* antry 16: firat uinat for ADD 


l#t ADD_ul * na» .definition 
(*ADD_ul_d#f‘, 

«!(r#p:-r*p_ty) (rag: (**ordn)liat) (.am:*ma.ory) 

(p»» pc irac ir Bar Bbr :*»ordn) (»pc:bt6) 

(int.aibool) . x 

ADD.ul rap (rag. pa*. P«. iv#c ' “• Mr * * br ’ P ' 

(int.a) ■ 

l«t a * EL (rag.lan rap (area rap ix)) r#g and 

b - EL (rag.lan rap (arch r#p ir)) rag and 

d - rag.lan rap (daat rap ir) in 
lat rasult - (add rap (a, b)) in 
lat cf lag - addp rap (a. b, raault) and 
▼ilag » aorfl rap (a, b, raault) and 
nflag - nagp rap raault and 
zflag * zarop rap raault and 
an - gat_a* rap pa* and 

ia - gat.ia rap paw in 

(UPDATE.REG rap paw d rag raault, 

pa* rap (aB. ia, vflag, nilag, cilag, zilag). 
p^ b«b , irac. ir. Bar. Bbr. " FETCH. ADDR)" 


•BTa.thMC ADD.ul* .EXPAHD.LET.RULE ADD.ul) ; ; 


X 

tabla antry 17: firat uinat for ADDC 


lat ADDC.ul ■ naw.daf inition 

(‘ADDC.ul.daf * , . 

"! (rap:*rap_ty) (rag: (**ordn)liat) (bob: *B»nory) 

(pa* pc ivac ir Bar Bbr :**ordn) (Bpc:bt6) 

(int.aibool) . v 

ADDC.ul rap (rag. pa*, pc, b*b, i*ac, ir, Bar, Bbr. *pc) 

(int.a) ■ 

l«t n - EL (ra g.lan rap (wren rap ir)) rag and 

b - EL (rag.lan rap (arcb rap ir)) rag and 

d - rag lan rap (dast rap ir) in 
lat raault - (addc rap (a, b, gat.cf rap paw)) in 
lat cilag * addcp rap (a, b, raault) and 

▼flag ■ aorll rap (a, b, raault) and 

nilag - nagp rap raault and 
zilag ■ zarop rap raault and 
an * gat .an rap paw and 

ia * gat.ia rap paw in 

(UPDATE REG rap paw d rag raault , 

.paw rap (an, ia, wllag. nilag, cilag, zilag). 
pc, nan, ivac, ir, nar, nbr, “FETCH .ADDR)" 


aawa.thnC 1 ADDC.ul * , EXP AHD.LET.RULE ADDC.ul) ; ; 


% 
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tsbla antry 18: first uinst for SUB 


1st SUB.ul ■ naw.daf inition 
(*SUB.ul.daf\ 

" ! (rap: “rap.ty) (rag: (awordn)list ) (aaa:*naBory) 

(psw pc ivac ir Bar Bbr :*wordn) (npc:bt6) 

(int.aibool) . 

SUB_ul rap (rag, psw, pc, bsb, ivac, ir. Bar, Bbr, ape) 
(int.a) ■ 

lat a - EL (rag.lan rap (srca rap ir)) rag and 

b * EL (rag.lan rap (srcb rap ir)) rag and 

d - rag.lan rap (dast rap ir) in 


lat rasult 

* (sub rap (a, b)) in 

lat cflag 

■ subp rap (a, b, rasult) and 

vflag 

■ sovfl rap (a, b, rasult) and 

nflag 

« nagp rap rasult and 

zflag 

* zarop rap rasult and 

SB 

* gat . sb rap psw and 

ia 

* gat.ia rap psw in 


(UPDATE.REG rap psw d rag rasult, 

Bk.psw rap (sb, ia, vflag, nflag, cflag, zf lag) , 
pc, Ban, ivac, ir, mar, Bbr, " FETCH. ADDR ) *’ 


•X 


sava.thn( 'SUB.ul ‘ , EXPAHD.LET.RULE SUB.ul) ; ; 


X 

tabla antry 19: first uinst for SUBC 


lat SUBC.ul ■ naw.daf init ion 
( 'SUBC.ul.daf * , 

” • (rap: “rap.ty) (rag: (*wordn) list) (bsb: * nenory) 

(psw pc ivac ir Bar Bbr :*wordn) (npc:bt6) 

(int.aibool) . 

SUBC.ul rap (rag, psw, pc, bsb, ivac, ir, Bar, Bbr, Bpc) 
(int_a) * 


lat a * EL (rag.lan rap (srca rap ir)) rag and 

b * EL (rag.lan rap (srcb rap ir)) rag and 

d * rag.lan rap (dast rap ir) in 


lat rasult 

* (subc rap (a, b, gat.cf rap psw)) 

lat cflag 

* subp rap (a, b, rasult) and 

▼flag 

* sovfl rap (a, b, rasult) and 

nflag 

- nagp rap rasult and 

zflag 

- zarop rap rasult and 

SB 

■ gat _sn rap psw and 

ia 

* gat.ia rap psw in 


(UPDATE_REG rap psw d rag rasult , 
ak -P* w rap (sb, ia, vflag, nflag, cflag, zflag), 
pc, nan, ivac, ir, nar, nbr, “FETCH. ADDR) 4 * 


■X 


sava_thn( 'SUBC.ul * , EXPAND. LET.RULE SUBC.ul) ; ; 

X 

tabla antry 20: first uinst for BAND 
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X 


l*t BAMD.ul ■ naa.daiinition 
(‘BABD.ul.dai', 

”! (rap:*rap_ty) (rag: (a.ordn)list) (nan:*nanory) 

(paw pc ivac ir nar nbr :*»ordn) (npc:bt6) 

(int_a:bool) . . 

BAIO.ul r«p (rag, ps*. pc, nan. ix ‘ “ r * upC) 

(int.a) " . .. . 

l*t a - EL (rag.lan rap (area rap ix) ) rag and 

b ■ EL (rag.lan rap (arcb rap ir)) rag and 

d - rag.lan rap (daat rap ir) in 
lat rasult - (band rap (a, b)) in 
lat cflag - gat.ci rap pa« and 
Tilag - gat.vi rap psa and 
nilag - nagp rap raault and 
zflag - zarop rap rasult and 
am “ gat.sm rap psa and 

ia “ gat.ia rap psa in 

(UPDATE.REG rap psa d rag rasult, 
mk psa rap (sn, ia, vilag, nilag, eilag, zilag) , 
pc, mam, ivac, ir, nar, nbr, *FETCH_ADDR)" 

);; 


saaa 


,_thn(‘BAND_ul‘ , EXP ARD.LET .RULE BAHD.ul) ; ; 




tabla antry 21: iirst uinst ior BOR 


% 


ape) 


lat BOR.ul - naa.dai init ion 
( ‘BOR.ul.dai ' , 

" ! (rap: ‘rap.ty) (rag: (aaordn)list) (mem:*aamory) 

(psa pc ivac ir mar mbr :*»ordn) (mpe:bt6) 

:bool) . 

BOR.ul rap (rag, psa. pc, nam, ivac. ir, nar, nbr. 
(int.a) * 

lat a » EL (rag.lan rap (srea rap ir)) rag and 

b m el (rag.lan rap (sreb rap ir)) rag and 

d - rag.lan rap (dast rap ir) in 
lat rasult « (bor rap (a, b)) in 
lat eilag - gat.ci rap ps* and 
vilag - gat.vi rap ps* and 
nilag - nagp rap rasult and 
zilag ■ zarop rap rasult and 
sn ■ gat.sn rap ps* and 

i# * g«t_i« r*p p*» ia 

(UPDATE.REG rap ps* d rag rasult, 
mk ps* rap (sn. ia, vilag, nilag, eilag, zilag), 
nan, ivac, ir, nar, nbr, *PETCH_ADDR) " 


pc, 


);; 


thn( ‘BOR.ul ‘ .EXPAND. LET. RULE BOR.ul);; 


X 


tabla antry 22: iirst uinst ior BIOR 
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X 


lat BXOR.ul * naw .definition 
('BXOR.ul.daf ‘ , 

u ! (rap: "rap.ty) (rag: (awordn)liat ) (mam:*mamory) 

(ps* pc iwac ir mar mbr :awordn) (mpc:bt6) 

(int.a : bool) . 

BXOR.ul rap (rag, pww, pc, mam, iwac, ir, mar, mbr, ape) 
(int.a) * 

lat i ■ EL (rag_lan rap (area rap ir)) rag and 

b - EL (rag.lan rap (arcb rap ir) ) rag and 

d * rag.lan rap (dast rap ir) in 

lat raault • (hxor rap (a, b)) in 
lat cflag * gat.cf rap psw and 
▼flag * gat.vf rap psw and 
nflag - nagp rap raault and 
zflag * zarop rap raault and 
am ■ gat. am rap paw and 

ia * gat.ia rap paw in 

(UPDATE.REG rap paw d rag raault, 
mk.paw rap (am, ia, vflag, nflag, cflag, zflag), 
pc, mam, ivac, ir, mar, mbr, * FETCH _ADDR)" 


sava_thm( 'BXOR.ul ' , EXP AHD.LET .RULE BXOR.ul) ; ; 

% 

tabla antry 23: firat uinat for BHOT 

x 

lat BIOT.ul * naw.daf ini t ion 
( ‘BIOT.ul.daf * , 

M ! (rap: “rap.ty) (rag: (awordn)liat ) (mam:*mamory) 

(paw pc ivac ir mar mbr :awordn) (mpc:bt6) 

(int.a :bool) , 

BBOT.ul rap (rag, paw, pc, mam, ivac, ir, mar, mbr, mpe) 
(int.a) ■ 

lat a * EL (rag_lan rap (area rap ir) ) rag and 
d * rag.lan rap (daat rap ir) in 
lat raault ■ (toot rap a) in 
lat cflag - gat.cf rap paw and 
v*lag * gat.vf rap paw and 
nflag - nagp rap raault and 
zflag - zarop rap raault and 
am ■ gat. am rap paw and 

ia ■ gat.ia rap paw in 

(UPDATE.REG rap paw d rag raault , 
ak_pc« r#p (*■, i«, vflag, nilag, cflag, zflag), 
pc, a«a, ivac, ir, aar, abr, * FETCH. ADDR)“ 

) • • 


aava_tha( ‘BIOT.ul ' , EIP AID_ LET _ RULE BIOT.ul) ; ; 

X 

tabla antry 24: firat uinat for ADDI 
lat ADDI.ul m naa.daf inition 


X 
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(‘ADDI.ul.def ' , 

"!(rep:‘rep_ty) (reg: (awordn)list) (aea:*aeaory) 

(pas pc iwec ir nr nbr :*wordn) (npc:bt6) 

(int.a :bool) ♦ v 

ADDI.ul rep (reg, psw. P<=. i*» c - ** • mBr ’ Bbr * ^ 

(int.a) - 

l#t a * EL (rag.lan rap (area rap ir)) rag and 
i * jm rap ir and 
d - rag.lan rap (daat rap ir) in 
lat rasult ■ (add rap (a, i)) iu 
lat cl lag ■ addp rap (a, i* rasult) and 
vf lag » aovfl rap (a, i» rasult) and 
nflag - nagp rap rasult and 
zflag - zarop rap rasult and 
sa * gat .sb rap psw and 

ia - gat.ia rap psw in 

(UPDATE.REG rap psw d rag rasult, 
ak csw rap (sm, ia, vflag, nllag, cllag, zllag) , 
pc’ nan, ivac, ir, nar, nbr, “ FETCH. ADDR ) " 


sava.thB(‘ ADDI.ul* , EXPAND. LET .RULE ADDI.ul) ; ; 


tabla antry 25: first uinst for ADDCI 


lat ADDCI.ul * naw.daf inition 
(' ADDCI. ul.daf ‘ , 

•» i (rap: ~rap_ty) (rag : (*wordn) list) (nan: ananory) 

(psw pc ivac ir nar nbr :*wordn) (npc:bt6) 

(int.a :bool) . v 

ADDCI.ul rap (rag, psw, pc, nan, ivac, ir, Bar, * P 

(int.a) ■ 

lat a - EL (rag.lan rap (srea rap ir)) rag and 
i * ian rap ir and 
d ■ rag.lan rap (dast rap ir) in 

1st result » (addc rep (a, i. g*b.ei rep ps»)) ia 

let cflag » eddep rep (*. i. result) end 

▼ilsg - aorfl rep (e, i. result) end 

nflag - negp rep result and 
zflag “ zerop rep result and 
sa ■ get.sn rep psw and 

ie - get.ie rep psw in 

(UPDATE. REG rep psw d reg result, 
ak psw rep (sa, ie, wflag, nflag. eflag, zflag), 
pci aea, iwee, ir. aar. abr. "FETCH. ADDR) 1 ' 


aawe_tha( ‘ADDCI.ul ‘ .EIPAID. LET. RULE ADDCI.ul) ; s 


X 

table entry 26: first uinst for SUBI 


let SUBI.ul - new.def inition 
( ‘SUBI.ul.def ‘ , 
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" ! (rap: “rap.ty) (rag: (*wordn) list) (bab: * mamory) 

(psw pc iwac ir bat mbr :*wordn) (*pc:bt6) 

(int.a :bool) . 

SUBI.ul rap (rag, psw, pc, mam, iwac, ir, bat, Bbr, mpc) 
(int.a) - 

lAt a ■ EL (rag.lan rap (srcA rap ir)) rag And 
i ■ imm r«p ir And 
d ■ rag_lan rap (dast r#p ir) in 


lAt rAsult 

* (sub rap (a, i)) in 

lAt cflag 

* subp rap (a, i, rasult) and 

TflAg 

■ sovfl rap (a, i, rasult) and 

nflag 

■ nagp rap rasult and 

zflag 

■ zarop rap rasult and 

SB 

* gat.sB rap psw and 

iA 

* gat.ia rap psw in 


(UPDATE. REG rap psw d rag result, 
ak.psw rap (sm, ia, vflag, nllAg, cflag, zflag), 
pc, bab, iwac , ir, mar, Bbr, * FETCH. ADDR ) " 


sawa.thB( ‘SUBI.ul ' , EXPAND. LET.RULE SUBI.ul) ; ; 
X 

tabla antry 27: first uinst for SUBCI 


1st SUBCI.ul * naw.daf inition 
(‘SUBCI.ul.dAf*, 

" ! (rap: ~rap.ty) (rag: (*wordn) list) (baa : ABABory) 

(psw pc ivec ir bat Bbr :*wordn) (Bpc:bt6) 

(int.A :bool) . 

SUBCI.ul rap (reg, psw, pc, bab, iwac, ir, bat, mbr, mpc) 
(int.A) ■ 

1 At a - EL (rAg.lAn rap (srca rAp ir)) rAg And 
i ■ imm rAp ir And 
d * rAg_lwn rAp (dast rAp ir) in 
lAt rAsult * (subc rAp (a, i, gAt.cf rap psw)) in 


1st cflag 

- subp rap (a, i, rasult) and 

TflAg 

■ sowfl rap (a, i, rasult) and 

nflag 

• nagp rap rasult and 

zflag 

■ zarop rap rasult and 

SB 

■ gAt _sb rap psw and 

ia 

» gat.ia rap psw in 


(UPDATE.REG r Ap psw d rag rAsult , 

tap (sb, iA, TflAg, nflAg, cflAg, zf lag) , 
pc, BAB, iwAc, ir, mar, mbr, ‘FETCH.ADDR)” 

);; 

Aawa.thmC ‘SUBCI.ul 1 ,EXPAVD.LET.RUI£ SUBCI.ul ) ; ; 


tab 1 a antry 28: first uinst for BlfDI 

1st BANDI.ul ■ nsw.dsf inition 
(‘BAIDI.ul.dAf*, 

11 ! (rAp: 'rap.ty) (r#g: (*wordn)list) (bab: *BAmory) 
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(paw pc ivac ir war *br :*wordn) (wpc:bt6) 

(int.a :bool) . 

BABDI.ul rap (rag, paw, pc, warn, ivac, ir, mar, mbr, »P«> 
(int.a) ■ 

lat a - EL (rag.lan rap (area rap ir) ) rag and 
i ■ im rap ir and 
d - rag.lan rap (dast rap ir) in 
X#t raault ■ (band rap (a. i)) in 
lat cflag - gat.cf rap paw and 
vll&g - gat.rf rap psw and 
nflag - nagp rap raault and 
zllag * zarop rap rasult and 
aa ■ gat.sn rap paw and 

i* « gat.ia rap paw in 

(UPDATE.REG rap psw d rag raault, 
ak psw rap (an, ia, vflag, nflag, cllag, zflag), 
pc' nan, ivac, ir, nar, abr, ~FETCH„ADDR)" 

);; 

sava_tha( ‘BAHDI.ul ‘ , EXP AHD. LET .RULE BABDI.ul) ; ; 


tabla antry 29: first uinst for BORI 


lat BORI.ul » new.daf inition 
(‘BORI.ul.daf \ 

11 ! (rap : ~rap_ty ) (rag: (awordn) list) (aaa: aaaaory) 

(paw pc ivac ir nar abr :*wordn) (npc:bt6) 

(int.a :bool) . 

BORI.ul rap (rag, psw, pc, nan, ivac, ir, nar, abr, ape) 
(int.a) * 

lat a - EL (rag.lan rap (area rap ir)) rag and 
i * inn rap ir and 
d - rwg.len rap (daet rap ir) in 
X#t raeult “ (bor rap (a, i)) in 
lwt cllag - gat.ci rap paw and 
vllag - gat.vl rap pew and 
nllag ■ nagp rap raeult and 
zflag “ zarop rap raeult and 
ea ■ gat.en rap pew and 

ia “ gat.ia rap pew in 

(UPDATE.REG rap pew d rag raeult, 

K k_p,w rap (e», ia, wllag, nllag, cllag, zllag), 
pc, nan, ivac, ir, mar, *br, * FETCH. ADDR)" 

);; 

eava_th»( ‘BORI.ul' .EIPAID.LET.RULE BDRI.ul) ; ; 


tabla antry 30: liret uinet lor BXORI 


lat BXORI _ul ■ naw.dalinition 
( 'BXORI _ul_dal\ 

“ ! (rap: ‘rap.ty) (rag: (*wordn)liet) (man:*»aaory) 
(pew pc ivac ir war nbr :*wordn) (wpc:bt6) 
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(int_e :bool) . 

BXORI.ul rep (rag, paw, pc, i«i, iwec, ir, Bar, abr, ape) 
(int_e) - 

let a - EL (reg_len rap (area rap ir)) rag and 
i * in rap ir and 
d * reg.len rap (dest rap ir) in 
lat raault * (bxor rap (a, i)) in 
let cflag * get_cf rap pew and 
▼flag • get_vf rap pew and 
nflag * nagp rap raeult and 
zflag * zarop rap raeult and 
am * get.ea rap pew and 

ia ■ get_ie rap pew in 

(UPDATE.REG rap pew d rag raeult , 
ak.pew rap (ea, ia, wflag, nflag, cflag, zflag), 
pc, awn, ivac, ir, aar, abr, *FETCH_ADDR) M 


eava_tha( 'BXORI.ul < ,EIPAJTO_LET_RULE BXORI.ul ) ; ; 

X 

tabla antry 31: firet uinst for HOOP (already defined) 

X 


coda for external interrupt 

lat EIBT.ul * naw.daf inition 
( *EIIT_ul_def * , 

(rap: *rep_ty) (rag: (awordn) list ) (aaa: aaaaory) 

(pew pc ivac ir aar abr : awordn) (apc:bt6) 

(int.e :bool) . 

EIHT.ul rap (rag, pew, pc, aaa, iwac, ir, aar, abr, ape) 
(int_a) - 

lat cflag ■ get_cf rap pew and 
▼flag * get.yf rap pew and 
nflag ■ get_nf rap pew and 

zflag * get.zf rap pew and 

ea - T and 

ia * F in 

(rag, 

ak.pew rap (sa, ia, rflag, nflag, cflag, zflag), 
pc, aaa, ivac, ir, aar, pc, ~EIVT_u2_ADDR)“ 


eare_tha( ‘EIBT.ul ' ,EXPAID_LET_RULE EIBT.ul) ; ; 

lat EIVT.u2 ■ new.def inition 
( < EIIT_u2_daf * , 

11 ! (rap: “rep.ty) (rag: (awordn) list ) (aaa: aaaaory) 

(pew pc ivac ir aar abr :awordn) (apc:bt6) 

(int_e:bool) . 

EIBT_u2 rap (rag, pew, pc, aaa, irac, ir, aar, abr, ape) 
(int_e) * 
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ivec , ir, SSP.REG reg, mbr, *EIHT_u3_ADDR)" 




.ave_th*( •EI*T_u2‘ .EXPAHD.LET.RULE EIIT_u2) ; ; 

let EIHT.uS - new.def inition 

(*EIIT_u3_def ‘ , v , . 

••!(r*p:-r#p.ty) (reg: (ewordn)list) (*em:*»e*ory) 

(p,w pc ivec ir mar mbr :*wordn) (*pc:bt6) 

(int_e:bool) . 

EIHT_u3 rep (reg, psw, P«. iT#c> 1X1 ■ #r * * P 

(int.e) “ 

let result ■ inc rep (SSP.REG reg) in 
(UPDATE.REG rep psw ssp.reg reg result , 
psw. pc. 

store rep (sen, sddress rep mar, mbr; , 
ivec. ir. mar, mbr. -EIHT.u4.ADDR)" 

);; 

saT , _thm ( ‘ EIHT_u3 1 , EXP AHD.LET .RULE EIHT_u3) ; ; 

let EIHT_u4 “ new.def inition 
(‘EIIT_u4_def ‘ , 

" ! (rep: 'rep.ty) (reg: (*wordn)list) (mem:*memory) 

(psw pc ivec ir mar mbr :*«ordn) (mpc:bt6) 

(int_a:bool) . v v 

EIHT_u4 rep (reg. psw, pc, mem, ivec, ir, mar, m r. mpe 

(int.a) * v , 

l #t result - band rap (wordn rap 2S5, xnt.latch rap irac) in 

(rag, psw, rasult , mam, 
ivac, ir, mar, mbr, ~FETCH_ADDR)" 

);; 

mmve_thm( ‘EIHT_u4‘ , EXP AHD.LET .RULE EIHT.u4) ; ; 

let micro.state - ((*wordn) list#*wordn**wordn#*memory# 

♦wordnt*wordnfawordni*wordnibt6) ; ; 

micro. anv * 11 :bool M ;; 


The mir o.inst list will be used to instantiate inst.list 
ml.micro.ml. 


-X 


lat micro.inst.list - naw.daf inition 
( 'micro. inst.list * , 

"! rap: ~rap.ty . 
micro. inst.list rap * 
[((F.F.F.F.F.F), (FETCH rep)); 
((F.F.F.F.F.T), (ISSUE rep)); 
((F.F.F.F.T.F), (DECODE rep)); 
((F,F,F,F,T,T) , (HOOP _ul rep)); 
((F,F,F,T,F,F) , (JHP _ul rep)); 
((F,F,F,T,F,T) .(CALL.ul rep)); 
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((F,F,F,T,T,F) , (XIT_ul r*p)); 
((F,F,F,T,T,T) , (RTI_ul r*p)); 
((F,F,T,F,F,F) , (GPSH_ul r*p)); 
((F,F,T,F,F,T) , (PPSV_ul r#p>); 
((F,F,T,F,T,F), (LD_ul r*p)); 
((F,F,T,F,T,T) , (ST_ul r*p)); 
((F,F,T,T,F,F) , (LSL.ul r*p)); 
((F.F,T,T.F.T),(LSR_ul r*p)); 
((F,F,T,T,T,F) , (ASR.ul r*p)); 
((F,F,T,T,T,T), (RTI.ul r*p)); 
((F,T,F,F,F,F) , (lOOP.ul r*p)); 
((F,T,F,F,F,T), (lOOP.ul r#p)); 
((F,T,F,F,T,F) , (LDI.ul r*p)); 
((F,T,F,F,T,T) , (STI.ul r*p)); 
((F,T,F,T,F,F), (ADD.ul r*p)); 
((F,T,F,T,F,T) , (ADDC.ul r*p)); 
((F,T,F,T,T,F), (SUB.ul r«p)); 
((F,T,F,T,T,T), (SUBC_ul r*p)); 
((F.T,T.F,F.F).(BAID_ul r«p)); 
((F,T,T,F,F,T), (BOR.ul r*p)); 
((F,T,T,F,T,F) , (BXOR.ul r*p)); 
((F,T,T,F,T,T) , (BHOT.ul r*p)); 
((F,T,T,T,F,F), (IDDI.ul r.p)); 
((F,T,T,T,F t T), (ADDCI.ul r*p)); 
((F,T,T,T,T,F), (SUBI_ul r«p)); 
((F,T,T,T,T,T), (SUBCI.ul r*p)); 
((T,F,F,F,F,F), (BAIDI.ul r*p)); 
((T,F,F,F,F,T), (BORI.ul r*p)); 

( (T ,F,F,F,T,F) , (BXORI.ul r*p)); 
((T,F,F,F,T,T), (BOOP.ul r*p)); 
((T.F,F,T,F,F),(CALL_u2 r*p)); 
((T,F,F,T,F.T).(CALL_u3 r*p)); 

( (T,F,F,T,T,F) , (CALL_u4 r#p)); 
((T,F,F,T,T,T), (IHT_u2 r#p)); 
((T,F,T,F,F,F),(irr_u3 r*p)); 
((T,F,T,F,F,T), (IBT_u4 r#p)); 
((T.F.T,F,T,F),(RTI.u2 r*p)); 

( (T,F,T,F,T,T) , (RTI_u3 r*p)) : 

( (T,F,T,T,F,F) , (RTI_u2 r*p)); 

( (T,F,T,T,F,T) , (LD_u2 r*p)); 
((T,F,T.T.T.F),(ST_u2 r*p)); 
((T,F,T,T,T,T) , (ST_u3 r*p)); 

( (T,T,F,F,F,F) , (STI_u2 r*p)>; 
((T,T,F,F,F,T) , (EIIT_ul r*p)); 
((T,T,F,F,T,F) , (EIIT_u2 r«p)); 
((T.T,F,F,T,T).(EI«T_u3 r*p)); 
(CT,T,F,T,F,F) , (EIIT_u4 r#p)); 
((T,T,F,T,F,T), (LD_u3 r«p)); 
((T,T,F,T,T,F) , (BOOP.ul r*p)); 
((T,T,F,T,T,T) , (BOOP.ul r*p)); 
C(T,T,T,F,F,F) , (BOOP.ul r*p)); 
((T,T,T,F,F,T) , (lOOP.ul r*p)); 
C(T,T,T,F,T,F), (BOOP_ul r*p>); 
((T,T,T,F,T,T), (BOOP.ul r*p)): 
((T,T,T,T,F,F) , (IOOP_ul r*p)); 
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((T,T,T,T,F,T) , (lOOP.ul rap)); 
((T,T,T,T,T,F) , (MOOP.ul rap)); 
((T,T,T,T,T,T) , (BOOP.ul rap))]" 


S«l*et MPC fro* atata. Thia is uaad to inatantiata gan.I.th 

l#t GatHPC « n#w_daf inition 
(‘GatHPC* * 

M • (r#g : (*wordn) list ) (mam : ♦mamory ) 

(paw pc iwac ix war mbr :*wordn) (mpc:bt6) 

(int_a :bool) . 

GatMPC (rag, paw, pc, mam, i™c, ir, mar, mbr, mpc) 
(int.a) - mpc" 

);; 


closa.thaoryO ; ; 



8.8.2 The Micro-Level Instructions 


The section presents the ML code that creates the theory uinst-def .th. 



Pil«: d*f_uin»t.»l 

Author: (c) P. J. Wiadloy 1990 

Dato: JUB 23. 1990 

Modified : 

Description; 

Defines the microinstructions and microrom for the 
micro — level. 

x 

set_search_path (search.pathC ) € [ */wuztag/home/windley/hol/tactica/* ; 

1 / muz t ag /home / windl ey /ho 1 /ml / 1 ; 

]);; 

let Library.Root - Vmuztag/home/windley /hoi /Library/* ; ; 

set. sear ch.path 

(search.pathC) C 

(map (concat Library.Root) [‘decimal/* ; *assoc/*] )); ; 
system */bin/rm uinst .th* ; ; 
new. theory * uinst * ; ; 
loadf *ucode_aux* ; ; 
new.parent ‘ucode.def * ; ; 

X 

If you change these addresses, change the list in def .uinst .ml 

as well. 

% 

let FETCH.ADDR - "(F,F,F,F,F,F)"; ; 

let CALL.u2.ADDR- "(T.F.F.T.F.F)"; ; 

let CALL.u3.ADDR- "(T t F t F,T, F,T)"; ; 

let CALL.u4.ADDR - H (T f F,F,T,T t F)”; ; 

let IIT.u2.ADDR - ,, (T l F l F,T,T f T)‘*; ; 

let IU.u3.ADDR - "(T.F.T.F.F.F)"; ; 
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let I*T_u4_ADDR 


let RTI.u2.ADDR - 
l#t RTI_u3_ADDR * 
let RTI_u2_ADDR « 
let LD_u2_ADDR * 
let ST_u2_ADDR ' 
let ST.u3.ADDR ' 
let STI_u2_ADDR 
let EIHT.ul.ADDR 
let EIIT_u2_ADDR 
let EI»T_u3_ADDR 
let EIIT_u4_ADDR 
let m_u3_ADDR - 


"(T.F.T.F.F.T)" ; ; 

"(T.F.T.F.T.F)";: 

"(T.F.T.F.T.T)";: 

"(T.F.T.T.F.F)";; 

"(T.F.T.T.F.T)";; 

"(T.F.T.T.T.F)";; 

"(T.F.T.T.T.T)";; 

"(T.T.F.F.F.F)";; 

■ "(T.T.F.F.F.T)";; 

■ "(T.T.F.F.T.F)";; 
» "(T.T.F.F.T.T)"; ; 
- "(T,T,F,T,F,F)" ; ; 
" (T.T.F.T.F.T)";; 


let OFFSET - " (F ,F,F,T.F ,F) " ; ; 
let DUMMY - " (T,T,T,T,T,T)";; 


let FETCH.bc * new.def inition 
( ' FETCH.bc * , 

•'FETCH.bc - 

( * (Oper (nor eg , nsh ,noreg , nop , nor eg , Bar_gets_pc , 

"(Set.PSV (put, pass, past, paaa, paaa, paaa)), 
*(ExtSig(off .off ,rd)) , 

* (Mpc ( j int .EIHT.ul.ADDR) ) ) " 




FETCH.bc ■ 

|- FETCH.bc - 

(F, (T.T) ,(T ,F,F ,T) ,F,T,T, (T,T, 

(F,F.T,F),(P.T,T). T.T.F.F.F.T 


F).(T.F.T).T.F).(F.F.F.F.F.F.F.F.F) 



l«t ISSUE.bc ■ naw.dsf inition 
('ISSUE.bc*, 

••ISSUE.bc - 

(~ (Opsr(ir, nsh ,Bbr,nop, norag, norsg) ) , 

-(Sat.PSV (pass , pass, pass, pass, pas*, pass);, 
-(ExtSig(off .off .no.BeB.op)) , 

‘ (Mpc (atep .DUMMY) ) ) " 
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l 

ISSUE.ac - 
I- ISSUE.ac - 

(T.(T,T),(T.F,F.T).F.F.F,(F.T,T),(T,F,T).T,F),(F,F,F,F.F.F,F,F,F), 

(F.F.F.F).(F,F.F),T,T,T.T.T,T 

x 


lat DECODE.bc » naw. definition 
( * DECODE _bc‘, 

"DECODE.bc - 

(* (Oper (pc ,n»h ,pc , inc , norag , nor eg) ) , 

-(Srt.PSV (pass, pass, pass, pass, pass, pass)), 
*(ExtSig(off ,off .no.aea.op)) , 

*(Mpe(jop, DUMMY)))" 

);; 


1 

DECODE.bc * 

I- DECODE.bc - 

(F,(T,T),(F,F,T,F),F,F,F,(T,F,F),(T,F,T),T,F),(F,F,F,F,F,F,F,F,F), 

(F,F,F,F),(F,T,F),T,T,T,T,T,T 

% 


lat M00 P_u1.bc ■ naa.daf inition 
(‘■OOP.uI.bc' , 

"IOOP_Ul.BC » 

(‘(Oper (nor eg, nsh, norag, nop, norsg,noreg) ) , 
“(Set.PSW (pass, pass, pass, pass, pass, pass)), 
*(ExtSig(off .off .no.Baa.op)) , 

‘ (Hpc ( jap , FETCH. ADDR ))) " 

);; 


X 

■OOP.uI.bc “ 

I- M00P_u1.bc - 

(F.(T.T).(T,F,F,T),F.F.F.(T.T,F),(T,F.T),T.F),(F,F.F.P.F.F,F.P,F), 

(F,F.F.F).(F,F,F),T.T,T.T,T,T 

x 


lat JMP_u1.bc “ naa.daf inition 
(*JMP_ul_nc‘, 

"JMP_Ul.BC “ 

(*(0per(pcj , nsh, rag.fila, add, ir, norag)) , 
“(Sat.PSW (pass, pass, pass, pass, pass, pass)), 
*(ExtSig(off ,off .no.Baa.op)) , 

* (Mpc ( jap , FETCH. ADDR) ) ) " 

);; 


JMP_Ul.BC *■ 

I- JMP_Ul.BC » 

(F,(T,T),(F,F,F,F),F,F,F,(T,F,T),(F,F,F),T,F),(F,F,F,F,F,F,F,F,F), 

(F.F.F.F).(F.F,T),F,F,F,F.F,F 


140 


— X 


l*t CALL_ul_mc * nas.daf inition 
('CALL.uI.bc' , 

"CALL.uI.bc - 

(* (Opar(norag,nsh, pc, nop, norag, nbr)) , 

*(Sat_PSW (pass, pass, pass, pass, pass, pass)), 
*(ExtSig(off ,oii .no.nan.op)) , 

* (Hpc ( jmp , CALL.u2. ADDR) ) ) " 


X 

CALL.ul.ac 
|- CALL_u1.bc 


<T.F.F.T).t.F.F.(I.t.f).(T.F.T).T,F).<r. F .F.F.P.F.P.F.P). 

(P.P.P.P),<P,F.I).F.F.F.t,P,P j 


lat CALL_u2_bc * naw.daf inition 
( ‘ CALL_u2_bc ' , 

"CALL_u2_bc - 

('(Opar(norag,nsh,rag.dast,nop,norag,Bar)) , 

* (Sat.PSW (pass, pass, pass, pass, pass, pass)), 
* (ExtSig(oif ,off .no.nam.op)) , 

* (Mpc ( jnp , CALL_u3_ ADDR) ) ) " 




CALL_u2_bc - 
|- CALL_u2_bc » 

(F,(T,T).(T,F,F,T),F.T,F,(T,T, 

(F.F,F,F),(F,F,T),T,F.F,T,F.T 


F) . (F.F.T) ,T,F) , (F.F.F.F.F.F.F.F.F) 

X 


lat CALL_u3_bc » n*s_d*l inition 
( ’CALL_u3_bc‘ , 

"CALL_u3_bc “ 

( * (Opar (pc ,nsh ,rag.lila , add ,ir , norag) ) , 

* (Sat.PSW (pass, pass, pass, pass, pass, pass)), 
* (ExtSig(oif ,oii ,wr) ) , 

' (Mpc ( jnp , CALL_u4_ADDR) ) ) " 


X 

CALL_u3_bc - 
|- CALL_u3_bc - 

(F,(T,T),(F,F,F,F),F,F,F,(T,F 

(F,F,F,T),(F,F,T),T,F,F,T,T,F 


F) , (F.F.F) ,T,F) , (F.F.F.F.F.F.F.F.F) , 



lat CALL_u4.bc * naa.daf inition 
( * CALL_u4_nc ‘ , 

"CALL_u4_bc - 

( * (Opar (r ag.f ila . nsh , rag.da st , inc , nor ag , noragl ) , 

-(Sat.PSW (pass, pass, pass, pass, pass, pass)), 
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*(ExtSig(off .off .no.aaa.op)) , 
* (Kpc ( jnp , FETCH. ADDR ) ) ) " 


X 

CALL_u4_bc « 

I- CALL_q4.bc - 

(F, (T,T) , (F,F,T,F) ,F,F,F,(F,F,F) , (F,F,T) ,T,F) , (F,F,F,F,F,F,F,F,F) , 
(F,F,F,F),(F,F,T),F,F,F,F,F,F 

x 


lat IFT_u 1 .bc ■ naw.daf inition 
('ht.ui.bc', 

"IIT.uI.bc - 

( * (Opar (norag , nah , pc , nop , nor ag , nbr ) ) , 

‘(Sat.PSW (sat.sa, clr.ia, pass, pass, pass, pass)), 
*(ExtSig(off .off .no.aaa.op)) , 

* (Mpc ( jap. IHT_u2_ADDR) ) ) " 


X 

IHT_u1.bc - 
I- IIT.uI.bc - 

<F,(T.T),(T,F.F.T).T.F,F,(T,T,F),(T,F,T),T.F).(T,F.F,T.F.F,F.F,F). 

(F,F,F,F),(F.F,T),T.F > F,T,T,T 

X 


lat IIT_u2_bc « nav.daf inition 
('IHT_u2_bc ‘ , 

"IHT_u2_bc - 

(‘ ( Opar (norag, nsh, ssp, nop, norag, Bar)) , 

‘(Sat.PSW (pass, pass, pass, pass, pass, pass)), 
*(ExtSig(off ,off ,no_naa_op)) , 

* (Mpc ( jnp , IHT.u3.ADDR) ) ) " 


X 

IHT_u2_bc - 
I- IHT_u2.bc - 

(F, (T,T) , (T.F.F.T) ,F,T,F. (T.T.F) , (F.T.F) .T.F) , (F,F,F,F,F,F,F,F,F) , 
(F,F,F,F),(F,F,T),T,F,T,F,F,F 

X 


lat IHT_u3_bc ** nav.daf inition 
(*IHT_u3_bc‘ , 

"IHT_u3_bc - 

( * (Opar (ssp , nsh , ssp , inc , norag , norag ) ) , 

‘(Sat.PSW (pass, pass, pass, pass, pass, pass)), 
* (ExtSig(of f , off ,no_aaa_op) ) , 

* (Hpc ( jnp , IHT_u4_ADDR) ) ) " 

);; 


X 

IHT_u3.bc - 
I- IIT_u3_bc ■ 
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(F,(T,T>,(F.F,T,F).F.F.F,(F,F.T).(F.T.F).T,F).(F.F.F,F.F,F.F.F,F). 

(F,F,F,F),(F,F,T),T,F,T,F,F,T 


1st IET_u4_bc - nss.dsf init ion 
(‘IIT.u4.bc\ 

"iit.u4_bc - 

(‘(0psr(pc,nsh,C255,band,ir,norsg)) , 

-(Sst.PSV (pass , pass, pass, pass, pass, pass)), 
“(ExtSif (oil .off ,wr)) , 

- (Mpc (jap , FETCH.ADDR) ) ) " 




IIT.u4.bc - 
I- IIT.u4_bc * 

(F.(T.T),(F,T,T.F).F.F.F.(T.F.P).(T.P.P).T.F).(F.F,F.F,F.F,F. 

(F,F,F,T),(F,F,T),F p F,F,F,F,F 


F.F) 

l 


1st RTI.ul.BC ■ nsw.dsf init ion 
(‘RTI.u1.bc\ 

"RTI.uI.bc * 

(* (Opsr(ssp,nsh,ssp ,dsc ,norsg,aar ) ) , 

" (Sst.PSV (pass, pass, pass, pass, pass, pass)), 


" (ExtSig(of f , o If ,no_ms»_op) ) , 
* (Mpc ( jap,RTI.u2_ADDR) ))" 


1 

RTI.uI.bc - 
1- RTI.uI.bc * 

(F,(T,T),(F|T,F,T),F,T I F,(F,F,T),(F,T,F),T,F),(F,F,F,F,F,F,F,F,F), 

(F.F.F.F).(F.F,T).T.F,T,F,T.F 


1st RTI.u2.BC * nsw.dsf init ion 
(‘RTI.u2.bc* , 

"RTI.u2.bc « 

(~(Dpsr(norsg,nsh,norsg,nop,norsg,norsg) ) , 

“ (Sst.PSV (clr.sB, sst.is, pass, pass, pass, pass)), 
* (ExtSig(off ,of f ,rd) ) , 

• (Mpc ( jap , RTI _u3 _ADDR ) ) ) " 

);; 




RTI.u2.bc - 
I- RTI.u2_bc - 

(F.(T.T).<T.F.F.T),P.F.F.(T.T,F).(T.F.T).T.P).(F.T.I.P.F.F.P.F.F). 

(F,F,T,F),(F,F,T),T,F,T,F,T,T 


l#t RTI_u3_nc ■ n«w_d«f init ion 
(‘RTI_u3_»c‘. 

"RTI_u3_»c “ 
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( * (Opar (pc , nsh , abr , nop ,norag , norag ) ) , 

‘(Sat.PSW (pass, pass, put, pass, pass, pass)), 
* (ExtSig(off , off .no.aaa.op) ) , 

‘ (Mpc ( jap , FETCH.iDDR) ) ) " 


X 

RTI_u3_mc - 
I- RTI.u3.ac - 

(T.(T.T),(T.F.F.T).F,F,F.(T,F,F),(T.F.T),T.F).(F,F.F.F.F.F,F.F,F). 

(F.P.T,F),(F.F.T).F,F.F,F.F.F 

X 

lrt GPSW.ul.ac “ naw.daf inition 
( ‘GPSW.ul.ac ' , 

"GPSW.ul.ac - 

( ‘ (Opar (rag.f ila , nsb , pss ,aop , norag , norag) ) , 

‘(Sat.PSW (pass, pass, pass, pass, pass, pass)), 
*(ExtSig(ofi,ofl, no.aaa.op)) , 

- (Mpc ( jap , FETCH.IDDR) ) ) ” 

);; 


% 

GPSW.ul.ac - 
I- GPSW.ul.ac - 

(F,(T,T),(T,F,F,T),F,F,F,(F,F,F),(F,T,T),T,F),(F,F,F,F,F,F,F,F,F), 

(F,F,F,F),(F,F,T),F,F,F,F,F,F 

X 


lat PPSW.ul.ac ■ naw.daf inition 
('PPSW.ul.ac' , 

"PPSW.ul.ac - 

( * (Opar (pss , nsh , r ag.dast , nop , norag , norag )) , 
‘(Sat.PSW (pass, pass, pass, pass, pass, pass)), 
*(ExtSig(ofi, off, no.aaa.op)) , 

' (Mpc ( jap, FETCH.ADDR) ) ) " 

); ; 


X 

PPSW.ul.ac - 
I- PPSW.ul.ac - 

(F,(T,T),(T,F.F,T).F.F.F,(F.T,F),(F.F.T),T.F),(F.F,F,F,F,P,F.F.F). 

(F,F,F,F),(F,F,T),F,F,F,F,F,F 

X 


lat LO.ul.ac ” naw.daf inition 
CLD.ul.ae' , 

"LD.ul.ac - 

( * (Opar (norag , nsh , rag.f ila , add , r ag.i ila , aar ) ) , 
‘(Sat.PSW (pass, pass, pass, pass, pass, pass)), 
* (ExtSig(off , oil .no.aaa.op) ) , 

' (Mpc( jap, LD_u2_ ADDR) ) ) • 

);; 
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l«t LD_u2_mc “ naw.daf inition 
(‘LD.u2.»c f , 

M LD_u2_ac - 

( * (Opar (nor ag , n*h .norag , nop , norag , nor «g ) ) , 
*(Sat_PSV (pa*s, put, pa**. pa**, pa**. pa**)). 
*(ExtSig(off .off.rd)) , 

*(Hpc(j*p,LD_u3_ADDR) ) )" 

l#t LD_u3_»e “ naw.daf init ion 
(‘LD_u3_»c‘ , 

"LD_u3_«c - 

( ' (Opar (rag.f il«, n*h , *br ,nop .norag , norag ) ) . 

* (Sat.PSW (pa**, pa**, pa*», pa*», pa»», pa**)), 
*(ExtSig(off,off .no.aaa.op)) , 

* (Hpc ( jmp . FETCH. ADDR) ) ) " 

);; 


l#t ST_ul_»c * naw.dai inition 
( *ST_ui_»c 1 , 

"ST.ul.ac - 

(" (Opar (norag, nsh,rag_l ila ,»dd,rag_iila ,*ar) ) , 
~(Sat_PSV (pass, pass, pass, pass, pass, pass)), 
“ (ExtSig(oll , off ,no_aa*^op) ) , 

- (Hpc ( jmp ,ST_u2 JLDDR) ) ) ” 

);; 


% 

ST_ul_*c * 

(F, (T,T) ,(F,F,F,F) ,F,T,F, (T,T,F) , (F,F,F),F,F), (F,F,F,F,F,F,F,F t F) , 

(F,F,F,F),(F,F,T),T,F,T,T,T,F 




1st ST_u2_mc * naw.daf inition 
('ST_u2_»c‘ , 
n ST_u2_»c * 

(~ (Opar (norag, nsh,rag_dast ,nop, rag.f ila ,abr) ) , 

* (Sat_PSH (pa**, pa**, pa**, pa**, paa*. pa**)). 
*(ExtSig(off .off .no.mam.op)) , 

* (Hpc (jap , ST_u3_ADDR) ) ) " 


ST_u2_mc * 

(P, (T.T) .(T.F.P.T) .T.F.F, (T,T,F) , (P.P.T).F.F) , (F,F.F,P,F,P.F,F,P) , 

(F,F,F,F).(F,F,T),T.F.T,T,T,T 


lat ST_u3_*e * nam.daf init ion 
CST_u3_*c‘ , 

H ST„u3_»c * 

( * ( Opar (norag , nsh , norag , nop ,nor ag , nor ag ) ) , 


-<S*t_PStf (pass, pass, pass, pass, pass, pass)), 
“(ExtSig(off .off ,wr)) , 

* (Hpe (jap, FETCH. ADDR) ) ) " 


X 

ST_u3_*c ■ 

I- ST_u3_ac - 

<F.(T,T).(T.F.F.T).F.F,F,(T.T,F),(T,F,T),T,F),(F,F,F,F.F.F.F.F.F). 

(F.F.F.T),(F,F.T).F,F.F.F,F,F 




Xat LSL_ul.se “ naw.daf inition 
( *LSL_ul_ac * , 

"LSL.ul.ac - 

(~(Opar(rag_tila,shl,rag_tila,nop,norag,norag) ) , 

“(Sat.PSW (pass, pass, pass, pass, Id.froa.shiftar, pass)), 
“ (ExtSig (of f p off ,no_aaa.op) ) , 

* (Mpc (jap, FET CH _ ADDR ) ) ) » 

);; 


'L 


LSL.ul.ac * 

I- LSL.ul.ac ■ 

(F.(F,F),(T,F,F,T),F,F,F,(F,F,F),(F,F,F),T,F),(F,F,F,F,T,T,F,T, 

(F,F,F,F),(F,F,T),F,F,F,F,F,F 


F). 


■X 


Xat LSR.ul.ac * nav.daf inition 
(‘LSR_ul_ac f , 

"LSR.ul.ac - 

(* (Opar (rag.f iXa , ahr ,rag_f iXa ,nop, norag, norag) ) , 

* (Sat.PSW (pass, pass, pass, pass, ld.froa.shiftar, pass)), 
* (ExtSig (o ti , o ft ,no_aam_op) ) , 

* (Mpc (jap , FETCH,. ADDR) ) ) »' 




LSR.ul.ac * 

I- LSR.ul.ac ■ 

(F.(F.T),(T,F,F,T),F,F,F,(F,F,F).(F,F,F),T,F),(F,F.F.F,T,T,F,T.F). 

(F,F,F,F),(F,F,T),F,F,F,F,F,F 

x 


Xat ASR.ul.ac ■ naw.daf inition 
( * ASR_ul_ac * , 

"ASR.ul.ac « 

( * ( Opar (rag.f iXa , asr , rag.f iX# ,nop , norag , norag) ) , 

“(Sat.PSV (pass, pass, pass, pass, ld.froa. shit tar, pass)), 
“ (ExtSig (off ,otf ,no_aaa_op)) , 

• (Mpc ( jap , FETCH. ADDR) ) ) " 

);; 


X 

ASR.ul.ac » 
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I- ASR_u1.bc » 

(F.(T.F),(T,F.F,T) ,F.F,F,(F,F 
(F.F,F,F),(F,F.T).F,F.F.F,F.F 


,F).(F.F.F).T.F).(F.F.F.F.T,T.F.T.F), 


•X 


l*t RTI.uI.bc ■ naw.daf init ion 
(‘RT*_u1_bc'. 

"RTI.uI.bc - 

(* (Opar(rag.fila ,nsh,rag.dast ,dac, norag, Bar) ) , 
-(Sat.PSW (pass , pass , pass, pass, pass, pass)), 
* (ExtSigCoff , off .no.Bsa.op) ) , 

- (Hpc( jBp.RTH_u2.ADDR) ) )" 

);; 




RTI_u1.bc » 

I- RTI.uI.bc - 

(F.(T,T).(F,T.F.T),F.T.F,(F,F 

(F,F,F,F),(F,F,T),T,F,T,T,F,F 


F).(F,F,T),T,F),(F,F,F,F.F,F.F,F,F), 



lat RTI_u2_bc “ naw.daf init ion 
(‘RTI_u2_bc‘ , 

"RTH_u2_bc - 

(* ( Oper (norag , nsh , norag , nop , norag, norag) ) , 

■ (Sat.PSW (pass, pass, pass, pass, pass, pass)), 
- (ExtSigCoff , off ,rd) ) , 

- (Mpc( jBp.RTI_u3.ADDR) ) )" 

);; 




RTI_u2_bc - 
I- RTI_u2_bc - 

(F,(T,T),(T,F,F,T),F,F,F,(T,T, 

(F.F.T.F).(F.F.T).T,F,T.F,T,T 


F),(T,F.T),T,F),(F,F,F,F,F,F,F,F,F) 

X 


lat LDI_u1.bc “ naw.daf init ion 
(>LDI_u1_bc‘ , 

"LDI_u1.bc - 

( * (Opsr (norag , nsh .rag.fila, add , ir , Bar ) ) , 
•(Sat.PSW (pass, pass, pass, pass, pass, pass)), 
* (ExtSig(off , off .no.Baa.op) ) , 

* (Hpc ( jap , LD.u2.ADDR) ) ) " 


X 

LDI_u1.bc - 
I- LDI_u1.bc - 

(F,(T,T).(F,F,F.F).F.T,F.(T,T,F).(F.F.F).T, 

(P.F.T.F).(F.F,T),T,F.T.T.F.T 


F) , (F,F,F ,F,F,F,F,F,F) , 


— X 


lat STI_u1.bc ■ naw.daf init ion 
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(‘STI_u1_bc‘, 

“STI_u1.bc - 

( “(Opsr (norsg, nsh, rsg.f ils, add, ir, Bar)) , 

‘ (Sst.PSV (pass, pass, pass, pass, pass, pass)), 
*(ExtSig(off ,off ,no_asa_op)) , 

* (Kpe ( jap , STI_u2_ADDR) ) ) " 

);; 


STI.ul.ac ■ 

I- STI_ul_ae - 

(F,(T,T),(F,F,F,F),F,T,F,(T,T,F),(F,F,F),F,F),(F,F,F,F,F,F, F.F.F), 
(F,F,F,F),(F,F,T),T,F,T,T,T,F 

j 


1st STI_u2_bc ■ nss.dsf inition 
C‘STI_u2_ac‘, 

"STI_u2_ac - 

( ' (Opsr (norsg ,nsh ,rsg_dsst ,nop , r#g_f ils ,abr) ) , 
“(Sst.PSW (pass, pass, pass, pass, pass, pass)), 
*(ExtSig(off ,o ff .no.asa.op)) , 

* Ofpc ( jap . ST_u3 .ADDR ) ) ) " 

);; 


X 

STI_u2_ac - 
I- STI_u2_bc - 

(F.(T.T).(T.F,F.T).T.F,F,(T,T.F).(F,F,T),F,F).(F,F,F.F.F.F,F,F.F), 

(F,F,F,F),(F,F,T),T,F,T,T,T,T 

x 


1st ADD_u1.bc > nss.dsf inition 
CADD_u1_bc', 

"ADD.ul.ac - 

( * ( Opsr (rsg.f ils , nsh , rsg_f ils , add , r sg.f ils .norsg ) ) , 
“(Sst.PSW (pass, pass, ld_rf, ld_nf, ld.fron.alu, ld.zf ) ) , 
*(ExtSig(off , off , no.asa.op)) , 

* (Hpc ( jap , FETCH. ADDR) ) ) " 

);; 


x 

ADD.ul.ac » 

I- ADD.ul.ac - 

(F. (T,T) , (P,F ,F,F) ,F,F,F, (F.F.F) , (F.F.F) ,F,F) , (F,F,F,F,T,T,T,T,T) , 
(F.F,F.F),(F,F,T).F.F.F.F.F,F 


1st ADDC.ul.ac ■ nss.dsf inition 
(‘ADDC_ul_ac‘ , 

“ADDC_u1_bc - 

( * (Opsr (rsg.f ils , nsh , r sg_f ils , addc , rsg_f ils .norsg) ) , 
“(Sst.PSW (pass, pass, ld.rf , ld.nf, ld.froa.alu, ld.zf)). 
“(ExtSig(off .off ,no_asa_op)) , 

“ (Hpc ( jap, FETCH. ADDR) ) ) " 

);; 
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X 

ADDC_ul_.c 


(F,(T,T).(F.F.F.T).F.F,F.(F,F.F).(F,F,F),F,F),(F,F,F,F,T,T.T.T.T), 


(F.F,F,F).(F.F.T).F.F.F,F.F.F 


X 


let SUB.ul.uc - nsa .definition 
(‘SUB_u1.bc', 

••SUB.uI.bc - 

( * (Opsr (r *g_l il* . n»h . r *g_l il* . «ub , r og.l il* ,nor#g) > . 
-(Sat.PSV (pass , pass, ld.rl, ld.nl, ld.lro._alu, ld.rl)), 
- (ExtSigColl ,oll ,no_.sm_op) ) , 

* (Mpe (j.p , FETCH. ADDR) )) " 

);: 


X 

SUB_u1.bc 
|- SUB_u1.bc 


(F.(T.T).(F.F,T,T).F,F,F.(F.F.F).(F,F,F),F,F).(F,F,F.F.T.T.T,T,T). 

(F,F,F,F),(F,F,T),F,F.F,F,F,F ^ 


lat SUBC.ul.ac - now.dslinition 
( ' SUBC.ul.ac * , 

“SUBC.uI.bc - 

( * (Opar (r*g.l ila , nsh , r sg.l il* . *ubc , rag.l lla .norag) ) . 
‘(Sat.PSV (pass, pass, ld.rl, ld.nl, ld_lro._alu, ld.z )). 
‘ (ExtSig (oil , oil ,no_»e«_op) ) , 

* (Hpc( j.p.FETCH.ADDR) ) ) " 




SUBC.uI.bc * 

) - SUBC.uI.bc * 

(F,(T,T),(F,T,F,F) ,F,F,F,(F,F, 
(F,F,F,F),(F,F,T),F,F,F,F,F,F 


F),(F,F,F),F,F),(F,F,F, 


F.T.T.T.T.T) 
X 


l#t BAID_u1_bc - nsw.dsf inition 
(‘BAID_u1.bc' , 

•'BA1D.u1.bc - 

(- (Opar(rag_* il* ,nsh,r#g_l 11 b . band , r#g_f ila. nor #g) ) , 
-(Sat.PSV (pass , pass, pass, Id.nf, pass, ld.zl))* 

* (ExtSig ioit , off, no.BSB.op)) , 

* (Hpc ( jap , FETCH. ADDR ) ) ) ° 

);; 


BAID.uI.bc - 
I- BAID_u1.bc 


(F,(T.T).(F,T.T.F),F.F,F,(F,F.F).(F.F,F).F,F).(F,F.F.F.F.T.F,T.F). 

(F,F,F,F) , (F,F,T) ,F.F,F.F,F,F 
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1st BOR.ul.uc » nsw.dsf inition 
(‘BOR.ul.uc' , 

"BOR.ul.uc - 

(* (Opsr (rsg.f ils , nsh , rsg.f ils ,bor , rsg.f ils .norsg ) ) , 
*(Sst_PSV (put, pass, pass, ld.nf, pass, ld.zf)), 
*(ExtSig(off ,off,no_usu_op)) , 

* (Hpc ( jup , FETCH, ADDR ) ) ) " 

);; 


X 

BOR_u1.bc ■ 

I- BOR.ul.me ■ 

(F,(T,T),(T,F,F,F),F,F,F,(P,F,F),(F,F,F),F,F), (F,F,F,F,F,T,F,T,F) 
(F,F,F,F),(F,F,T),F,F,F,F,F,F 

X 


1st BXOR.ul.uc “ nsw.dsf inition 
('BXOR.ul.uc', 

•'BXOR.ul.uc - 

(*(Opsr(rsg_lils , nsh, rsg.f ils.bxor .rsg.f ils, norsg) ) , 
‘(Sst.PSW (pass, pass, pass, ld.nf, pass, ld.zl)), 
*(ExtSig(off ,off ,no_usu_op)) , 

* (Hpc (jup.FETCH.ADDR) ) ) " 


X 

BXOR.ul.uc - 
I- BXOR_ul_uc - 

(F,(T.T).(F.T,T,T),F.F,F.(F,F,F),(F.F,F).F,F).(F,F.F,F,P,T.F,T.F) 

(F,F,F,F),(F,F,T),F,F,F,F,F,F 

X 


1st BBOT.ul.uc “ nsw.dsf inition 
(‘BIOT.ul.uc 1 , 

••BBOT.ul.uc - 

( * (Opsr (rsg.f i Is , nsh , rsg.f ils , boot , aor sg , norsg) ) , 
•(Sst.PSW (pass, pass, pass, ld.af, pass, ld.zl)), 
*(ExtSig(off ,off ,no_usu_op)) , 

*(Hpc (jup.FETCH.ADDR)))" 

);; 


X 

BBOT.ul.uc » 

I- BBOT.ul.uc ■ 

(F.(T.T),(T.F,F,T).F.F,F.(F.F.F).(F.F,F),T,F).(P.F.F,F.F.T.F.T.F) 

(F,F,F,F),(F,F.T),F.F,F,F.F.F 

X 


1st ADDI_ul.sc - nsu.dsf inition 
('ADDI.ul.uc' , 

M ADDI.ul_uc - 

( * (Opsr (rsg.f ils , nsh , rsg.f ils , add , ir , norsg ) ) , 

•(Sst.PSH (pass, pass, ld.vf . ld.nf, ld.frou.alu, ld.zf)), 
*(EztSig(off ,off ,no_u«a_op)) , 
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- (Hpc ( jap . FETCH.ADDR) ) ) 


* 

ADDI_ul_»c * 

I- XDDIulac * 

(F, (T,T), (F.F.F.F) ,F,F,F, (F,F,F) , (F,F,F) ,T,F) , (F.F.F.F.T.T.T.T.T) , 
(F,F,F,F),(F,F,T),F,F,F,F,F,F 


l#t ADDCI_ul_»c « n*w_del init ion 
(‘ADDCI_ul_*c\ 

"ADDCI_ul_»c - 

( - (Opar (rag.l ila , nsh . rag.l ila , addc , ir .norag) ) , 

"(Sat.PSW (pats, pass, ld.vl , ld.nl, ld.lroa.alu, ld.zl)), 
*(ExtSig(oll,oll,no_asB_op)) , 

- (Hpc ( jap . FETCH.ADDR) ) ) " 




ADDCI.ul.ae - 
| - ADDCI_ui_»c ■ 

(F,(T,T),(F,F,F,T),F,F,F,(F,F, 
(F.F.F.F), (F,F,T),F,F, F.F.F.F 


F).(F,F.F),T.F).(F.F.F,F.T.T.T.T.T). 


— X 


lat SDBI_u1.bc “ naw.dalinition 
(*SOTI_u1_bc‘ . 

"SOTI_u1.bc - 

(* (Dpar (rsg.lils , nsh, rag.l ila , sub , ir .norag) ) , 

*(S*t_PSW (pass, pass, ld.vi . ld.nl, ld.lroa.alu, ld.zl)), 
*(ExtSig(oll ,oll ,no_B*B.op)) , 

• (Hpc ( jnp . FETCH.ADDR) ) ) " 


SOTI_u1.bc - 

1 (f!(T*TMF.F.T,T).F.F,F,(F,F.F).(F.F.F),T,F).(F.F.F.F,T.T.T,T,T). 

(P,F,F.F),(F.F.T),F,F, F.F.F.F 


lat SOTCI_u1.bc ■ naw.dalinition 
(*SOTCI_u1_bc‘ , 

"SOTCI_u1_bc - 

(* (Opar (rag.lila .nsh.rag.lila , subc , ir .norag) ) . 

•(Sat.PSW (pass, pass, ld.rl , ld.nl, ld.lroB.alu, ld.zl)) 
*(ExtSig(oll,oll,no_BaB_op)) , 

* (Hpc ( jap . FETCH.ADDR) ) ) " 

);; 


X 

SOTCI_u1.bc - 
I- SOTCI_u1_bc « 


(F, (T,T) , (F.T.F.F) ,F 


F,F,(F,F,F),(F,F,F),T,F),(F,F,F,F,T,T,T,T.T), 


(F,F,F,F),(F.F.T),F.F.F,F.F,F 


X 


1st BABDI.ul.nc « nsv.dslinition 
(‘BABDI.ul.nc* , 

"BABDI.ul.nc - 

( “ ( Opsr (rsg.l ils , nsh , rsg.l ils , band , ix , norsg) ) , 
‘(Sst.PSW (pass, pass, pass, ld.nl, pass, ld.zl)), 
* (ExtSig(oll ,ofl .no.nsn.op) ) , 

* (Hpc (jap , FETCH.ADDR) ) ) " 

);; 


X 

BAIDI.ul.nc - 
I- BAIDI.ul.nc - 

(F,(T,T),(F.T.T,F),F.F,F,(F,F.F),(F,F,F),T,F),(F,F,F,F,F.T.F,T,F), 

(F.F.F.F),(F.F.T).F.F,F.F.F,F 

x 

1st BORI.ul.nc ■ nsv.dslinition 
CBORI.ul.nc', 

"BORI.ul.nc - 

(* (Oper (rsg.lils ,nsh,rsg_l ils ,bor , ix.norsg) ) , 

‘(Sst.PSW (pass, pass, pass, ld.nl, pass, ld.zl)), 
*(EztSig(oll,oll,no.nsn_op)) , 

* (Hpc ( j np , FETCH.ADDR ) ) ) " 

);; 


X 

BORI.ul.nc ■ 

I- BORI.ul.nc ■ 

(F,(T,T),(T,F,F,F),F,F,F,(F,F,F),(F,F,F),T,F),(F,F,F,F,F,T,F,T,F), 

(F,F,F,F),(F,F,T),F,F,F,F,F,F 

x 


1st BXORI.ul.nc “ nsv.dslinition 
('BXORI.ul.nc' , 

’’BXORI.ul.nc - 

( * ( Opsr (rsg.l ils , nsh , r sg.l ils , bxor , ir , nor sg ) ) , 
"(Sst.PSW (pass, pass, pass, ld.nl, pass, ld.zl)), 
*(EztSig(oll,oll,no_nsn_op)) , 

* (Hpc ( jnp , FETCH.ADDR ) ) ) " 

);; 


X 

BXORI.ul.nc - 
I- BXORI.ul.nc - 

(F,(T,T),(F,T,T,T),F,F,F,(F,F,F),(F,F,F),T,F),(F,F,F,F.F,T,F,T,F). 

(F,F,F,F),(F,F,T),F,F,F,F,F,F 


1st EIBT.ul.nc m nsv.dslinition 
('EIBT.ul.nc' , 

••EIBT.ul.nc - 

( * (Opsr (nor sg , nsh , pc , nop , norsg , nbr ) ) , 
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-(Srt.PStf (set.sa, clr.ie, pass, P“ 8 > P M *« p«*»)), 
* (ExtSig (of f , off .no.aea.op) ) , 

* (Hpc ( jap , EIWT_u2_iDDR) ) ) " 


X 

EIBT_u1.bc » 

I- EIBT.ul.ac » 

(F, (T,T) ,(T,F,F,T) ,T,F,F, (T,T 
<F.F.F.F).(F.F.T).T.T.F,F.T.F 


,F) , (T,F,T) ,T,F) , (T,F,F ,T,F,F,F,F,F) 

X 


l#t EIBT_u2_mc “ new .definition 
CEIBT_u2.bc' , 

"EIIT_u2_mc - 

( * ( Oper (nor eg , nsh , ssp , nop , noreg . mt ) ) , 

‘ (Set.PSW (pass , pass, pass, pass, pass, pass)), 
* (ExtSigCof f ,of f ,no_aam_op) ) , 

* (Hpc ( jap ,EIHT_u3_ADDR) ) ) " 

);; 




EIBT_u2_bc - 
I- EIIT_u2.bc - 

(F.(T.T).(T,F,F.T).F.T,F,(T,T 

(F,F,F.F),(F,F,T),T,T,F,F,T,T 


,F),(F,T,F),T,F),(F,F,F,F,F,F,F,F,F) 

X 


let EIET_u3_bc ■ new.def inition 
CEIET_u3_bc' , 

”EIBT_u3_bc * 

( * (Opar (ssp ,nsh , ssp , inc , nor eg .noreg) ) , 

"(Set.PSW (pass, pass, pass, pass, pass, pass)), 
' (ExtSig(off ,off ,wt) ) , 

' (Hpc ( jnp ,EIHT_u4_ADDR) ) ) ” 




EIBT_u3_bc - 
I- EIBT_u3_bc « 

(P,(T,T),(F,F,T,F),F,F,F.(F,F 

(F.F,F.T).(F,F.T),T.T,F.T,F,F 


,T) , (F.T.F) ,T.F) , (F.F.F.F.F.F.F.F.F) 

X 


let EIET_u4_bc - new.def inition 
CEIBT_u4_bc‘ , 

”EIET_u4_bc - 

( ' (Oper (pc , nsh , C2 65 .band , iwec .noreg ) ) , 

“(Set.PSW (pass, pass, pass, pass, pass, pass)), 

*(ExtSig(i_ack,off ,no_Bea_op)) , 

“ (Hpc ( jap, FETCH.ADDR) ) ) ” 

);; 


X 

EIET_u4.bc - 
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I- EIHT.u4.mc « 

(F,(T l T),(F l T,T»F),F i F f P,(T > F,F),(T,F f F),F,T),(F,F # F,F,F l F,F i F t F), 

(T t F,F,F) f (F f F t T)»F,F,F,F,F,F 

% 


This list Bust contain the microinstructions that implement ths 
behavior in ths definition micro. inst.liet defined in del .micro .ml. 
1 


let micro.rom ■ new.def inition 
( 'micro.rom* , 

"!n . micro.rom n ■ 

EL n 

[FETCH.mc ; ISSUE.mc; DECODE.mc; HOOP.ul.mc; JMP.ul.mc; CALL.ul.mc; 
IIT.ul.mc; RTI.ul.mc; GPSV.ul.mc; PPSV.ul.mc; LD.ul.mc; ST.ul.mc; 
LSL.ul.mc; LSR.ul.mc; ASR.ul.mc; RTI.ul.mc; I00P.ul.mc; I00P.ul.mc 
LDI.ul.mc; STI.ul.mc; ADD.ul.mc; ADDC.uljic; SUB.ul.mc; SUBC.ul.mc 
BAID.ul.mc; BOR.ul.mc; BXQR.ul.mc; BIOT.ul.mc; ADDI.ul.mc; 
ADDCI.ul.mc; SUBI.ul.mc; SUBCI.ul.mc; BAHDI.ul.mc; BORI.ul.mc; 
BXORI.ul.mc; HOOP.ul.mc; CALL_u2.mc; CALL.u3.mc; CALL.u4_mc; 
IIT.u2_mc ; IHT_u3.mc; IIT.u4.mc; RTI.u2.mc; RTI.u3.mc; RTI.u2.mc; 
LD_u2_mc; ST_u2_mc; ST_u3.mc; STI.u2_mc; EIIT.ul.mc; EXIT_u2_mc; 
EIHT.u3.mc; EIHT.u4.mc; LD_u3.*c; EOOP.ul.mc; HOOP.ul.mc; 
HOOP.ul.mc; HOOP.ul.mc; HOOP.ul.mc; HOOP.ul.mc; HOOP.ul.mc; 
HOOP.ul.mc; HOOP.ul.mc; HOOP.ul.mc] " 

);; 


save.thmC 'micro. rom. expanded * , 

SUBS [FETCH.mc ; ISSUE.mc ; DECODE.mc ; HOOP.ul.mc ; JMP.ul.mc ; 
CALL.ul.mc ;IHT.ul.mc ; RTI.ul.mc; GPSV.ul.mc; 

PPSW.ul _mc ; LD.ul. me ; ST.ul.mc ; LSL.ul.mc ; LSR.ul.mc ; 
ASR.ul.mc ; RTH.ul _*c ; HOOP.ul.mc ; IODP_ul.mc ; 

LDI.ul.mc ; STI.ul _mc ; ADD.ul.mc ;ADDC_ul_mc ; SUB_ul_nc ; 
SUBC.u 1 .me ; BAHD.ul _mc ; BOR.ul _mc ; BIOR.ul _mc ; 
BHOT.ul.mc ; ADDI.ul.mc ; ADDCI.ul.mc ;SUBI.ul. me ; 
SUBCI.ul.mc ;BAHDI_ul. me ; BORI.ul.mc ; BXORI.ul.mc ; 
HOOP.ul.mc ; CALL.u2.mc ; CALL.u3.mc ; CALL.u4.mc ; 
IHT_u2_mc ; IHT.u3.mc ; IHT_u4_mc ;RTI.u2.mc ; 

RTI_u3_mc ; RTH.u2.mc ; LD.u2.mc ; ST.u2.mc ; ST_u3_mc ; 
STI.u2.mc ; EIIT.ul.mc ; EIHT_u2.mc ; EIHT.u3_mc ; 
EIHT_u4.mc ; LD_u3_mc] micro.rom 


close.theoryO ; ; 
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3.6.3 The Micro-Level Proof 


The section presents the ML code that creates the theory micro. th. 

% 

Fil#: Bk.micro.ml 

Author: (c) P. J. Vindloy 1990 

Dot*: JOT 23. 1990 

Modified: 

Description: 

Proves the micro— level correct with respect to the phase— level 
using the generic interpreter proof, phase. th and micro.def . th. 

X 

set.search.path (search.pathO € [*/muz tag/home /windley/hol/tact ics/* ; 

# /muztag/home/windley/hol/ml/ ' ; 

]);; 

let Library.Root * * /muz tag/home/windley /hoi /Library/* ; ; 

set .sear ch.path 

(search.patbO t 

(map (concat Library.Root) 

[‘tuple/ 1 ; ‘decimal/*] )) ; ; 

load* ‘abstract*;; 

system * /bin/rm micr o . th * ; ; 

new.theory ‘micro*;; 

loadf ‘tuple*;; 

-. r n*»_p«r*nt t‘g*n_I‘ ; ‘*icro_d#f * ; ‘phaso* ; *uin»t'] ; ; 
n«a_autoload_th*ory ‘ucod«_def ' ; ; 

X 

From micro. del ^ 

let load.micro.inBt ■ (\x. theorem ‘micro.def* x) ; ; 

* 

: thm list 

Run time: 2824.7s 

let instructions * map load.micro.inst 
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! * FETCH ‘ ; * 

ISSUE ‘ ; 

•DECODE'; 

'■OOP.ul'; 

' JHP.ul ' ; 

‘ CALL.ul ‘ ; 

'IBT.ul'; 

‘RTI.ul ' ; 

'GPSV.ul' 

; 'PPSW.ul • ; 

‘LD_ul 1 ; ‘ 

ST.ul ' ; 

‘LSL.ul ' ; 

‘LSR.ul' ; 

‘ASR.ul * ; 

'RTB.ul ' ; 

'■OOP.ul' 

; '■OOP.ul'; 

‘LDI.ul * ; 

'STI.ul' ; 

'ADD.ul'; 

‘ ADDC.ul * ; 

'SUB.ul' ; 

‘SUBC.ul* ; 

'BABD.ul * 

; ‘BOR.ul ' ; 

‘BXOR.ul 1 

; ‘BBOT.ul ‘ ; 

'ADDI.ul ’ 

; ’ADDCI.ul * 

'SUBI.ul' 

; ‘SUBCI.ul' 

'BAIDI.ul 

‘ ; 'BORI.ul' 

'BXORI.ul 

'; '■OOP.ul' 

' CALL_u2 ' 

; ‘ CALL_u3 ‘ ; 

' CALL_u4 ‘ 

; ‘ IBT_u2 * ; 

‘ IBT_u3 ‘ ; 

* IET_u4 ' ; 

‘RTI_u2‘ ; 

'RTI_u3 ' ; 

1 RTR_u2 ‘ ; 

* LD_u2 ‘ ; 

' ST_u2 * ; ‘ 

ST_u3‘ ; 

' STI_u2 * ; 

'EIBT.ul ‘ ; 

‘EIIT_u2 ‘ 

; ‘EIIT_u3‘ ; 

'EIBT_u4' 

; 'LD.u3‘ ; 

'■OOP.ul' 

; 'BOOP.ul 1 ; 

'■OOP.ul ‘ 

; ‘■OOP.ul 1 ; 

‘■OOP.ul ' 

; 'BOOP.ul'; 

'■OOP.ul ‘ 

; ‘BOOP.ul 1 ; 

'■OOP.ul' 

; 'BOOP.ul 1 ] 


let micro. inst .list » definition ‘micro.def* 'micro.inst.list ' ; ; 
let GetKPC ■ definition ‘micro.def 'GetMPC*;; 


Prom phase.def 

% 

let load.phase.inst * (\z. definition ‘phase.def x);; 

let phase* ■ map load.phase.inst 

[‘phase. one .del ‘ ; * phase. tvo.def 1 ; 1 phase. three.def * ; ‘ phase _f our.def '] ; ; 
let Phase. Substate * definition ‘phase.def ‘ Phase. Subs tat e ‘ ; ; 
let GetPhaseClock ■ definition ‘phase.def 'GetPhaseClock* ; ; 
let PhaseClockBegin * definition ‘phase.def * Phase ClockBegin* ; ; 
let ALU.FUIC * definition ‘phase.def ‘ALU.FUIC*;; 
let ALU. CARR T.FUIC - definition ‘phase.def ‘ALU.CARRT.FUIC* ; ; 
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l # t ALU. IEG _FUI C - definition ‘phase.def* f ALU.IEG.FUIC* ; ; 

let ALU.ZERO.FUHC » definition ‘phase.def* * ALU.ZERO.FUHC* ; ; 

let ALU.OVFL.FUHC ■ definition ‘phase.def* ‘ALU.OVFL.FUHC*;; 

let SHIFTER.FUHC - definition ‘phase.def* 1 SHIFTER.FUHC* ; ; 

let SHIFTER. CARRY.FUIC • definition ‘phase.def ' * SHIFTER.CARRY.FUHC * 

let Phase. Int ■ theorem ‘phase* ‘Phase. Int ‘ ; ; 

l 

Hisc. stuff 


let Hext * definition ‘time.abs* ‘Hext*;; 

let micro.rom.expanded - theorem ‘uinst* ‘micro.rom.expanded* ; ; 

let HPC.UNIT - 
BETA. RULE ( 

E1P AID. LET. RULE ( 

definition ‘mpc.def* ‘MPC.UHIT* ) ) ; ; 

X 

The representation types 

let rep.ty - abstract. type ‘aux.def* ‘opcode*;; 

l«t I.rep.ty ■ abstract.type ‘gen.I* ‘Impl*;; 

let micro.state « " : ( (*wordn)listt*wordnt*wordn#*memory# 
*wordn#*wordn#*wordn#*wordn#bt6) " ; ; 

let micro. env * ° :bool" ;; 


let Phase.state - 

« ; ( (*wordn)list#*wordn#**ordn#*nemory# 
*mordn#*wordn#ewordn#ewordn#bt6# 

»wordn>»wordntbooltboolfucodet (num~>ucode) #bt 2) ‘ ; ; 

let Phase.env ■ ":bool" ;; 


Define the micro level interpeter in terms of the generic 
interpreter definition* 


let Micro. Int.def - new.def inition 
(‘Hicro.Int.def 1 , 

» i (rep: *rep_ty) (s :time->*micro_state) (e: time->“micro.enT) . 


Micro.Int rap a a * 

IITERP 

(nicro.inat.liat rap, 
bt6_val, GatMPC, 

Phaaa.Subatata rap, I, Phaaa.Int rap, 
GatPhaaaClock rap, PhaaaClockBagin, Cxrona.F) a a*' 


lat Micro. Int * aava.tha 
( 'Micro. Int * , 

QICE.REVRITE.RULE [GatKPC] ( 

BETA.RULE ( 

EXPAID.LET.RULE 

(inatantiata.abatract.dalinition ‘gan.I* 'IITERP* Micro Int dal))) 

);; 


X 

Micro. Int * 

I - trap a a. 

Micro.Int rap a a * 

(!t. 

a(t + 1) - 
SID 

(EL(bt6_val(GatHPC(s t)(a t ) ) ) (aicro.inat.liat rap)) 

(a t) 

(a t)) 

Run tina: 15.4a 

Intarmadiata thaorana ganaratad: 921 

% 


lat Micro. Int.Inat.Corract. dal * naa.dalinition 
( ‘Micro.Int .Inat.Corract.dal ‘ , 

11 ! (rap: ~rap_ty) (a :tina->“Phaaa_atata) (a : tiaa->"Phasa_anv) . 

Micro. Int. Inat.Corract rap a a * 

IVST. CORRECT 

(nicro.inst.liat rap, 
bte.val, GatKPC , 

Phaaa.Subatata rap, I, Phaaa.Int rap, 

GatPhaaaClock rap, PhaaaCIockBagin, Cxrona.F) a a” 

);; 

lat Micro. Int .Inat.Corract ■ 
lat Micro. Int .EXT ■ 

COIV.RULE (TOP.DEPTH.COIV FUI.EQ.COIV) Micro.Int .Inat.Corract .dal in 
(REVRITE.RULE [I.THM] ( 

BETA.RULE ( 

EXPAtD.LET.RULE ( 
inatantiata.abatract.dalinition 
'g«n.I‘ 

* IIST.CORRECT ‘ 

Micro. Int .EXT ) ) ) ) ; ; 


X 
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Hicro.Int.Inst.Corract - 

|- !rap sap. 

Hicro.Int .Inst .Corract rap » • P ** 

Phasa.Int rap » • “> 

(GatKPC (Phasa.Substata rap(s t))(a t) ■ FST p) A 
(GatPhasaCloek rap(s t)(* t) “ PhasaClockBagin) “> 
(?c. 


■axt 

(\t*. GatPhasaCloek rap(s t')(* t’) 
(t,t + c) /\ 

(SID p(Phasa_Substata rap(s *))(• t) 
Phasa.Substata rap(s(t + c))))) 


- PhasaClockBagin) 


-X 


■ap (dalata.cacha o fst) (cachad.thaoriasO) ; ; 

£ 

Sow ML function for tha infaranca rulas that follow 

lat last 1 - (al (length 1) 1);; 

latrac tarw.list.al n 1 ■ ( 

lat tw.hd x - rand(f at (dast.comb x)) and 
ta.tl x * snd(dast_co»b x) in 
if (n * 0) than ta.hd 1 also 
tara_list_al (n-1) (tm.tl 1)) ? 
failwith 1 tarw.list.al * ; ; 


cura for right no,. Ii anyon. is a.rioualy conc.rnad 
that this isn’t right. I'll do it otar. 


1st EL.COIV ta - ( . . A . 

1st ((c,n) ,1) ■ ((dsst_eoab#I)o dast.conb) t* in 

lat n.int * tar»_to_int n in 

»k_thw([] # *’~t» - ~ (tam_li»t_al n.int 1)")) ? 
failwith * EL.COHV ‘ ; ; 


X 

lat ia.SID.tarw t - 

if ia.cowb t than ( 

1st (dast_const (fst (strip. comb t))) - ‘SID 

slsa 

falsa; ; 


: — 

Soma othar nica convarsions 


SID.COIV "SID (x.y)" — > I - SID (x.y) ” y 


lat SID.COIV t - 

if is.SID.tarm t than 

lat op.pr - dast.comb t in 



l*t op,[tl;t2] “ atrip.conb pr in 
SPECL [tl;t2] ( 

IHST.TTPE [((typa.of tl), ":*"); 

((typa.of t2), ":**")] SID) 


•la* 

failwith ‘SID.COIV;; 




ADD.ASSOC.COHV "a+(b+c) H — > |- a +(b+c) - (a+b)+c 


lat ADD.ASSOC.COHV t - 
l*t opl,[tl;t2] ■ atrip.conb t 
in 

l*t op2,[t3;t4] » atrip.conb t2 
in 

if opl “ "t+" k op2 « "$+" 
than SPECL [t 1 ; t3 ; t4] ADD. ASSOC 
•la* fail; ; 


IIV .ADD.ASSOC.COHV "(a+b)+c" — > I- (a+b)+c - a+(b+c) 

l*t IIV_ADD_ASSOC - (GEN.ALL o STM o SPEC.ALL) ADD. ASSOC; ; 

l*t IIV_ADD.ASSOC.COHV t - 
l*t opl,[tl;t2] » atrip.coab t 
in 

l*t op2,[t3;t4] « atrip.conb tl 
in 

if opl - "$+" k op2 » M $+" 
than SPECL [t3;t4;t2] IHV.ADD. ASSOC 
•la* fail; ; 




inT.nun.C0HV inv.nun.COHV "(SUC 2)” — > |- SUC 2-3 


l*t inT.nun.C0HV n « ( 

l*t x, jr * d«at_conb n in 

l*t y.inc “ int.to.tara ((t*m_to_int y) + 1) in 
if not(x - "SUC") th«n fail ala* 

STM.RULE (nun.COIV y.inc)) 

? failwith ‘ inT.nun.COHV ‘ ; ; 


Uaing W.Phaaa.Int.Inat.LEMMA, *• can proT* a lanna of tha form 

I- Phaaa.Int 
rap 

(\t. 

(rag t.pa* t,pc t.nan t.iaac t,ir t.nar t.nbr t.npc t.alatch t, 
blatch t.iraq.ff t.iack.ff t.nir t.uron.clk t)) 

(\t. (int.a t)) "*> 

(!t. 
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(r*g(t + l),ps»(t + l),pc(t + + l),iT*e(t + l),ir(t ♦ 1). 

smr(t ♦ 1) t mbr(t + l),apc(t + l),alatch(t + i),blatch(t + l) f 
ir*q_lf(t + l),iack_«(t + l),*ir(t + 1 ) ,uro».clk(t + 1) - 
(ltt naw.air ■ urom(bt6_Tal(apc t)) 
and naw.clk ■ F,T 
in 

rag t,p»w t.pc t ,i» t.ivac t,ir t.aar t.abr t.apc t, alatch t, 
blatch t.iraq.ff t.iack.ff t,n#»_mir,uro*.n#*_clk))) 


( 


lat Pha»a_Int_SPEC ■ 

PUKE.OICE_REVRITE_HULE [GatPhaaaClock] 

BETA.RULE ( 

SPECL ["rap: "rapjty" ; 

"(\t. (rag t.psw t.pc t t, 

ivac t.ir t,aar t.abr t.apc t, 
alatch t, blatch t, iraq.ff t, iack.ll t, 
mir t, utob, elk t) ) :tiaa->~Pha*a,.»tata"; 
"(\t. (int.a t ) ) : ti«a“>“Phas#_any n ] Phasa.Iat) ) ; ; 


lat HK_Phas#_Int .Inst .LEMMA inst * 

lat tp m ak.n. tuple. from, int 2 inst in 
lat clk.tara * "elk t * 'tp" in 
DISCH.ALL ( 

GEM "t" ( 

DISCH clk.tara ( 

SUBS [SPECL ["rap:'rap.ty"; 

"rag t : (awordn)list" ; 

"b#b t:*aaaory"; 

"paw t:*wordn"; 

"pc t:*aordn"; 

"ivac t:*wordn"; 

"ir t:*wordn"; 

"aar t:a*ordn" ; 

"abr t:*wordn"; 

"alatch t : awordn" ; 
"blatch t : awordn" ; 


"ape t :bt6" ; 
tp; 

"uroa : nua->ucode" ; 

"air trucoda"; 

"iraq.ff ttbool"; 

"iack.ff t :bool"; 

t:bool"] (al (in*t+l) phasaa)] 
COIV.RULE (DEPTH.COIV SID.COIV) ( 
coiv'rule (0*CE_DEPTH_C0IV EL.COIV) ( 

SOBS Cbt2_T«l_C0IV "bt2_Tal *tp"] ( 

SOBS [AS SOKE clk_t#r*3 ( 

SPEC. ALL ( 

SOBS CPhaaa.Int .SPEC] ( 

ASSUME 

“Phasa.Int (rap: 'rap.ty) 


( 
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(\t. (rag t .psv t.pc t ,mi t, 

irec t ,ir t,ur t.abr t.apc t, 

alatch t, blatch t, ireq.ff t, iack.ff t. 

air t, tiros, elk t)) 

(\t. (int.a t))")))»))»);; 

lat ak.nua.list n * 

letrec ak.nua.list _aux n a ■ 
if n • a then [a] else 
(n . (ak.nua_list.auz (n+1) a)) in 
ak_nua.list.aux 0 n; ; 

lat Phasa_Int.Inst.list - aap MK _Phas a _Int. Inst .LEMMA (ak.nua.list 3);; 

lat Micro. Ins t .Correct .LMIA ■ 

REWRITE. RULE [GatPhasaClock; Phase. Sub state; lext ; 
PhasaClockBeginjGetMPC;] ( 

BET A. RULE ( 

SPECL ["rep:"rep.ty"; 

"(\t. (rag t.psw t.pc t.aen t, 

ivec t,ir t.aar t.abr t.apc t, 

alatch t, blatch t t ireq.ff t, iack.ff t, 

air t, aicro.roa, elk t) ) : tine->"Phase_state" ; 

°(\t. (int.a t )) :tine-> "Phase .enr"] 

Micro.Int.Inst.Corract)) ; ; 


lat BEGII.ADDR - "F.F"; ; 


%■ 


Create a goal for instruction n 




lat MK_IIST.CORRECT.GOAL n - 
lat inst * tara.list.al n 
(snd(dest_eq( 

snd(dest_forall(concl aicro. inst .list) ) ) ) ) in 
11 ! (rep: "rep.ty) (rag :tiae->(*vordn) list) (aaa: tiae->*aeaory) 

(psw pc ivec ir aar abr alatch blatch: tiaa->avordn) 

(ape :tiaa->bt6) (clk:tiae->bt2) (uroa:nua->ucoda) (air : tiaa->ucoda) 
(ireq.ff iack.ff int.a :tiae->bool) . 

(!p. ak.psv rap 

(gat.sa rap p,get_ie rap p.get.rf rap p, 
gat.nf rap p,get_cf rap p.get.zf rap p) ■ p) **> 
Micro.Int.Inst.Corract rap 

(\t. (rag t .psw t.pc t.aaa t. 

irac t .ir t.aar t.abr t.apc t. 

alatch t. blatch t, ireq.ff t, iack.ff t. 

air t. aicro.roa. elk t)) 

(\t. (int.a t)) "inst”; ; 


lat phase. one. expanded * 

EXPA1D.LET.RULE (al 1 Phase. Int .Inst .list) ; ; 

lat phase.tvo.expanded ■ 

EXP AID. LET. RULE (al 2 Phasa.Int.Inst.list) ; ; 
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lat phaaa.thraa.axpandad ” 

FTPiin LET RULE (#1 3 Phaaa.Int.Inat.liat) j ; 

l#t RAEGE.LEHHA - TAC.PROOF 

((□. 

"!tl t2 (elk:ti*a->bt2) x . 

/\ t* < t2 “> '(elk t’ * x)) A 

'(elk t2 - x) — > . . 

(!f. tl < t* A t> < (t2 + 1) --> '(elk t* - x)V). 

REPEAT STRIP _TAC 

THEE ASSUH.LIST (\ul. ASSUHE.TAC ( 

SPEC "t* :ti*a" (al 6 a»l))) 

THEE ASSUH.LIST (\ul. STRIP. ASSUHE.TAC ( 

REWRITE.RULE [SYM.RULE ADD 1 ; LESS _THM] (al 3 ul))) 
THEEL [ 

ASSUM.LIST (\aal . ASSUME.TAC ( 

REWRITE.RULE [al 1 asl] (al 3 asl))) 

ALL.TAC 

] 

THEE RES.TAC 

);; 


lat LESS.SQUEEZE.LEMMA - 
lat LESS.EQ.SUC - 

STM.RULE ( % . 

PURE.OECE .REWRITE.RULE [DISJ.SYM] LESS.THM) in 
PURE.OECE_REWRITE.RULE [ADD1] ( 

PUReIoHCE.REWRITE.RULE [LESS.EQ.SUC] ( 

PURE.OECE.REWRITE.RULE [LESS.OR.EQ] LESS.EQ.AHTISYM) , ■ 


% 


Spacializa tha aalactora on tha ueoda for a particular uinat.^ ^ 

lat SPEC.SELECTOR x thn - 

lat inst ■ and(daat_aq x) in 

lat <opar.(p«.Cig.«PC») ‘(ltd* da. t pair)) ( 

(I i dsst.psir) ( 

(dsst.pair inst))) in 

l#t (ax t sh,al»*b,*a,pc > tg,ss,sb) - / 

(I I (I I (I » (I * (I <• d » (H daat. pair) )))))) ( 

(I j (I # (I # (I * (I • (I * daat.pair)))))) ( 

(I « (I f (I i U * <1 « daat.pair))))) ( 

(I « (I # (I t (I • daat.pair)))) ( 

(I « (I • (I * daat.pair))) ( 

(I * (I t daat .pair)) ( 

(I t daat.pair) ( 

(daat.pair opar)))))))) in 

lat (aa*,can,aia,cia,lcf ,1 t 1 ,lnl,lzf ,lnl) “ . t 

(I • (I # (I # (I » (I * <1 * U * deat_pair) >)>))) ( 

(I # (I » (I t (I t (I t (I • daat.pair)))))) ( 

(I * (I # (I » (I # (I * daat.pair))))) ( 

(I # (I # (I # (I • daat.pair)))) ( 

(I • (I # (I » daat .pair))) ( 


(I * (I # dast.pair ) ) ( 

(I # dast.pair) ( 

(dast.pair paw) ) )))))) in 
lat (ia,f,r,w) ■ 

(I • (I • dast.pair)) ( 

(I # dast.pair) ( 

(dast.pair wig))) in 
l*t (jc,ad) “ dart .pair ape in 
SPECL [ax;sh;al;aa;ab;pc;r;v;ia;f ; 

ssa ;caa;sia;eia;lcf ; lrf ; Inf ; lrf ; lal ; 
tg;sa;sb; jc;ad] tha;; 


lat SPEC.ALL.SELECTORS x - 
aap (SPEC.SELECTOR x) 

[Aaux ; Shift ; Alu ; Mbr ; Mar ; Paux ; Trgt ; SreA ; SreB ; 
S_aa;C_aa;S_ia;C_ia; Ld.e ; Ld.w ; Ld_n ; Ld.x ; 
Carc;Iack;Ftch;Rd;Ur;Cond;Addraaa] ; ; 

aap (dalata.cacha o fat) (cachrd.thaoriasO) ; ; 




Prow# tha instruction corractnasa laaaa for instruction n 


lat IIST.CORRECT.TAC n - 

lat inst « tara.liat.al n 
(snd(dast_aq( 

and(daat_forall(concl aicro.inat.liat))) )) 
lat tha “ al (n+1) instructions in 
lat find.Phasa_Int.tara ta ■ ( 

lat ( (x,y) ,z) - ((dast.coab # I) 

(dast.coab ta)) in 

(x “ "Phasa.Int (rapi'rap.ty)")) ? falsa in ( 

REPEAT STRIP.TAC 

THEH SUBST.TAC [SPEC inst Micro.Inst.Corract.LDIMA] 

THE* ASH.REWRITE.TAC [tha] 

THE* REPEAT STRIP.TAC 

THE* ASSUM.LIST (\x. MAP.EVERT ASSUME.TAC C 
COIJUICTS ( 

REWRITE.RULE [PAIR.EQ] ( 

SUBS [COBV.RULE (0*CE_DEPTH_C0*V EL.COHV) ( 

SPEC (int.to.tara n) aicro.roa.axpandad)] ( 
COBV.RULE (0*CE_DEPTH_C0*V bt6_ral C0*V) ( 

SUBS [al 2 x] ( 

(\y. HP y (al 1 x)) ( 

SPEC "t :tiaa" ( 


■X 


in 


HATCH.HP phasa.ona.axpandad 

(hd (filtar (find.Phasa.Int.tara o concl) x)) ))))))))) 
THE* ASSUM.LIST (\x. MAP.EVERT ASSUME.TAC ( 

COIJUICTS ( 

REWRITE.RULE [PAIR.EQ] ( 

SUBS (SPEC.ALL.SELECTORS (concl (al 2 x))) ( 

SUBS [al 2 x] ( 

(\y. MP y (al 1 x)) ( 

SPEC "t+1" ( 


MATCH.MP phasa.two.axpandad 
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2 *))) ( 


(hd (filter (iind_Pha»o_Int_tor» o concl) *)) )))))))> 
THEI ASSUM.LIST (\x. MAP .EVERY ASSUME.TAC ( 

COHJUHCTS ( 

REWRITE.RULE [PAIR.EQ] ( 

SUBS ( SPEC _ ALL.SELECTORS (concl (ol 2 x))) ( 

SUBS [ol 2 x] ( 

(\y. HP y («1 1 *)) ( 

SPEC "(t+l)+l" ( 

MATCH.MP phaso.throo.oxpandod 

(hd (lilt or (find.Phaao.Int.tam o concl) x)) )))))))) 

THEI ASSUM.LIST (\x. MAP .EVERY ASSUME.TAC ( 

COIJUICTS ( 

REWRITE .RULE [PAIR.EQ] ( 

ETPiHD LET RULE ( 

REWRITE.RULE [PAIR.EQ; 

ALU FUHC ; ALU.C ARRY.FUIC ; ALU.OVFL.FUIC ; 

ALuIlEG.FUKC ; ALU.ZERO.FUIC ; SHI FTER.FUIC ; 
SHIFTER.CARRY.FUIC] ( 

SUBS (SPEC. ALL.SELECTORS (concl (ol 
SUBS [ol 2 x] ( 

(\y. MP y (ol 1 x)) ( 

SPEC ”((t+l)+l)+l" ( 

MATCH.MP (ol 4 Phaso.Int.Inst.list) , iu „ nn)) 

(hd (liltor (lind.Phasa.Int.tora o concl) 

THE! EXISTS _TAC "((1 + 1) + 1) + 1” 

them COIV TAC (TOP.DEPTH.COHV ADD.ASS0C.C0HV) 

THEI BETA.TAC 

THEI ASM.REWRITE.TAC [PAIR.EQ ;MPC_UIIT] 

THEI REPEAT COHJ.TAC 
THEM FIRST [ 1 1 % 

GEI.TAC 

THE! SPEC.TAC ("t ' : ti*«" ,"t ’ :ti»o") 

THE! PURE.OICE.REWRITE.TAC [ADDl] 

THE! COIV.TAC (TOP.DEPTH.COHV ADD.ASSOC.COHV) 

THEI REPEAT ( 

( (MATCH.MP _TAC RAIGE.LEMMA) ORELSE ALL.TAC) 

THEI COHJ.TAC 

THEI OICE.REWRITE.TAC [LESS.SQUEEZE.LEMMA] ) 

THEI ASM.REWRITE.TAC [PAIR.EQ] 

PURE.OICE.REWRITE.TAC [SYM.RULE ADDl] 

THEICOIV.TAC (TOP.DEPTH.COHV IIV.ADD.ASSOC.COIV) 

THE! REWRITE.TAC [ 

REWRITE.RULE [ADD_CLAUSES;IOT_SUC] ( 

GEI.ALL ( ... 

SPECL ["■:nu*";"SUC n"] LESS.ADD.IOIZERO))] 


ALL.TAC 


]);: 


lot PROVE. IIST. CORRECT .LEMMA n - ( 
TAC.PROOF ( ( □ . 

MK.IIST_CORRECT.GOAL n) , 
IIST.CORRECT.TAC n)) 

? BOOL.CASES.AX ; ; 



% 

Sara l*nu for racorary in tha arant of a crash. 

lat SAVE.IIST.LEMMA n - 

lat na ma - (concat ‘IIST. 4 (string.of _int n)) in 
»**a_thn(nama ,PROVE_IIST.CQRRECT_ LEMMA a);; 


map (dalata.cacha o fat) (cachad.thaoriasO ) ; ; 

latrac mk.num.list n m - 

if n ■ a than Cm] alsa 

(n . (mk.num.list (n+1) m));; 

lat inat.lamma.list * 

(map S AYE. I 1ST .LEMMA (mk.num.list 0 15));; 

map (dalata.cacha o fat) (cachad.thaoriasO) ; ; 

lat inst.lamma.list • 
inat.lamma.list C 

(map SAVE.IIST.LEMMA (mk.num.list 16 31));; 

map (dalata.cacha o fst) (cachad.thaoriasO) ; ; 

lat inat.lamma.list * 
inat.lamma.list I 

(map SAVE.IIST.LEMMA (mk.num.list 32 47));; 

map (dalata.cacha o fst) (cachad.thaoriasO ) ; ; 

lat inat.lamma.list * 
inat.lamma.list I 

(map SAVE.IIST.LEMMA (mk.num.list 48 63));; 
map (dalata.cacha o fst) (cachad.thaoriasO ) ; ; 

Tha first obligation of tha abstract intarpratar thaory 


lat Micro.Int_CORRECT_LEMMA.AUI - TAC PROOF 

((□. 

M ! (rap: "rap.ty) (rag;tima->(*vordn)list) (mam : t ima->*mamory ) 

(paw pc iTsc ir mar mbr alatch b latch : tina->*wordn) 

(mpc: tima->bt6) (clk:tima->bt2) (urom:num->ucoda) (mir :tima->ucoda) 
(iraq.ff iack.ff int_a:tima->bool) . 

(!p. mk.psv rap 

(gat.sm rap p,gat_ia rap p.gat.rf rap p, 
gat.nf rap p.gat.cf rap p,gat.zf rap p) ■ p) **> 

EVERT (Micro.Int.Inat.Corract rap 

(\t. (rag t ,psv t ,pc t ,mam t f 
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iv#c t » ir t ,aar t.abr t,apc t, 

alatch t, blatch t, iraq.fl t, iack.ff t, 

air t, aicro.roa, elk t)) 

(\t. (int.a t))) (micro. inat. list rap)"), 

REVRITE.TAC [EVERT.DEF;aicro.inst_list] 

THEM REPEAT STRIP. T AC 

THEM POP.ASSUM (\asl. MP.TAC asl) 

THEIL (map HATCH. ACCEPT. T AC inst.laama.lirt) 

) • • 

* » i 

l«t Hi cro.Int. CORRECT .LEMMA - ( 

OIDISCH.ALL ( 

SPEC.ALL ( 

PURE.OICE.REVRITE.RULE [Mi cro.Int .Inst _Corr act _daf] 
Hicro.Int_CORRECT_LEMMA.AUX) ) ) ; ; 

aava_tha( 'Miero.Int.CORRECT.LEMMA 1 .Hicro.Int.CORRECT.LEIMA) ; ; 


Tha sacond obligation of tha abstract intarpratsr thaory 


lat Hicro_Int_LENGTH_LEHMA m TAC.PROOF 

^"Pape. bt6_val ape < (LENGTH (aicro.inst.list (rap:*rap_ty)))") . 
REPEAT GEN.TAC 

THEN REVRITE.TAC [aicro.inst.list ; LENGTH] 

THEN STRUCT.CASES.TAC (SPEC "apc:bt6" SIX.TUPLE.VALUE.LEHMA) 

THEN CONV.TAC (DEPTH.CONV bt6_tal_C0NV) 

THEN CONV.TAC (T0P_DEPTH_C0NV nua.CONV) 

THEN REVRITE.TAC [LESS_O;LESS_MON0.EQ] 

);; 

aava_tha( ‘Micro_Int_LENGTH_LEMMA iMicro.Int.LENGTH.LEMMA) ( > 
sap (dalata.cacha o fst) (cachad.thaoriasO) ; ; 


Tha third obligation of tha abstract intarpratar thaory 


lat Micro. Int_ORDER_LEMMA - TAC.PROOF 

((□. 

" !apc:bt6 . ape - (FST (EL (bt6_tal ape) 

(aicro.inst.list (rap:*rap_ty))))*') . 

REPEAT GEI.TAC 

THEN SUBST.TAC [SPEC "rap: *rap_ty" aicro.inst.list] 

THEN STRUCT.CASES.TAC (SPEC "apc:bt6" SIX.TUPLE.VALOE.LEMHA) 

THEN CDNV.TAC (ONCE.DEPTH.CONV bt6.tal.CONV) 

THEN CONV.TAC (ONCE.DEPTH.CONV EL.CONV) 

THEN REVRITE.TAC □ 

);; 

sava_tha( ‘Hicro.Int.ORDER.LEHMA ‘ ,Micro_Int_ORDER_LEHMA) ; ; 
sap (dalata.cacha o fst) (cachad.thaoriasO) ; ; 
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lat thaoran.list ■ 

instant iat a.abstract .thaorans 
‘gsa.I* 

[Hicro.Int .CORRECT .LEMtA ; 

Micr o.Int .LEIGTH.LEHMA ; 

Micro.Int_ORDER.LEMU] 

[ 

("rap : * I.rap.ty** , 

"(nicro.inat.liat (rap: ~rap_ty) , 
bt6.ral, 

GatKPC : *»icro_atata->“nicro_anT->bt6, 
(Phaaa.Subatata rap) : ‘'phasa_stata->~nicro_stata # 

(I : ~phasa_anv-> ‘nicxo.anv) , 

Phaaa.Int rap, 

(GatPhasaClock rap) : ~phasa_stata->~pfaasa_anT->bt2, 
PhasaClockBagin : bt 2 , «x : ona « P) ") ; 

('•a* :ti*a'->aanv M \ 

"(\t:tina. (int.a t) :bool) ") ; 

(”* ’ : ti»a->*stata * " , 

"(\t. (rag t ,paw t,pc t,maa t, 

ivac t , ir t,nar t,nbr t,»pc t, 

alatch t, blatch t, iraq.fl t, iack.fi t, 

air t, aicro.roa, elk t ) ) : tiaa->~phasa_stata M ) 

] 

‘MICRO 1 ;; 

lat corract.laaaa * snd(hd thaoran.list) ; ; 


lat MICRO.LEVEL.CORRECT.LEMMA - aava.thn 
( ‘MICRO. LEVEL .CORRECT .LEMKA' f 
BETA.RULE ( 

EXP AID. LET. RULE ( 

DICE. REWRITE. RULE [Phaaa.Subatata ;I.THM; GatPhasaClock; PhaaaClockBagin] ( 
BETA.RULE ( 

DICE. RE WRITE. RULE [STM.RULE Micro. Int.daf] corract.lanna)))) 

);; 
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3.7 The Macro-Level 

This section presents the theories that define the macro-level £^ ted “ ,lie * kMry 

that verifies the macro-level interpreter with respect to the micro-level interpreter. 

3.7.1 The Macro-Level Interpreter 

The section presents the ML code that creates the theory macro.def.th. 


daf .macro. ml 

Author: (c) P. J- Wiadl‘7 * 989 

Data: 24 OCT 89 

Hodifiad: 03 APR 90 

Dascription: 

D#fin#s tha bahavioral dascription 

laral 


of tha macro intarpratar 


X 


sat, 


••arch path (••arch.pathO • t‘/«u*tag/ho»a/windlay^ol/tactic./‘ ; 

~ P « /muztag/homa/windlay/hol/ml/ ; 


]);; 


lat Library, 


Root - * /muztag/homa/windlay/hol/Library/ ‘ ; ; 


sot.saarch.path 

(saarch.pathO • 


(map (concat Library .Root) 

[‘numbars/* ; ‘dacimal/*; 1 assoc/'; tupla/ ]))•. 


load! * abstract 1 ; ; 

ftystam ‘/bin/rm macro.daf .th* ; ; 

naw.thaory 'macro.d ai * ; ; 

•ap M._par*nt ['aur.d.i'; ‘tupla*; ‘aur.thm.'; 

‘rags_daf‘; * ju*p_d*i‘] ; ; 

lat rap.ty - abstract _typa ‘aui.d.f ‘ *opcoda‘;; 


X 


Tha instruction lornat* ara giran b*low: 
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Format 1 : 


31 26 20 

15 

10 0 

1 opcoda | dast I A 

1 B 

”+" + 

1 unused | 

Format 2: 


+ 

31 26 20 

16 

0 

1 opcoda | dast | A 

1 imm 

i 


^ following instruction* aalact fields from the instructions. 


x 

lat GetSrcA ■ ne*_def inition 
( ‘GatSrcA* , 

" • (rap: ~rep_ty) man rag . 

GatSrcA rap rag mam ■ 

rag.lan rap (area rap (fatch rap (man, address rap rag))) 1 ' 

) ! ! 

lat GatSrcB ■ nev.daf inition 
( ‘GatSrcB* , 

”i (rap: ~rep_ty) mam rag . 

GatSrcB rap rag mam * 

r# 8-l* n r ®P (arcb rap (fatch rap (mam, address rap rag)))" 

) » i 

lat Getlmm * nev.def inition 
( ‘Get Inn' , 

(rap: *rep_ty) mam rag . 

Catlmm rap rag mam ■ 

(imm rap (fatch rap (mam, addrass rap rag)))" 


lat GatDast ■ nav.daf inition 
( ‘GatDast * , 

**\ (rap:*rap.ty) mam rag . 

GatDast rap rag mam * 

rag.lan rap (dast rap (fatch rap (mam, addrass rap rag)))" 


X 

Arithmetic functions: 


lat ADD * naw.daf inition 
(‘ADD*, 

“ ! (rep : *rep_ty) rag mam (psw pc iveczavordn) . 
ADD rap (rag, psv, pc, mam, irac) » 

lat a * EL (GatSrcA rap pc mam) rag and 
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b ■ EL (GatSrcB rap pc nan) rag and 
d - GatDaat rap pc nan in 
l#t result * add rap (a, b) in 
X#t cflag - addp rap (a, b, raault) and 
▼flag - aorfl rap (a, b, raault) and 
nf lag » nagp rap raault and 
zflag * zarop rap raault and 
an - gat. an rap paw and 

ia * gat.ia rap paw in 

(UPDATE.REG rap paw d rag raault , 
nk.paw rap (an, ia, rflag, nflag, cflag, zf lag) , 
inc rap pc, 
nan, 
irac)" 


lat ADDC ■ naw.daf inition 
( 1 ADDC * , 

« i (rap: ~rep.ty) rag nan (paw pc irac:*wordn) . 

ADDC rap (rag, paw, pc, nan, irac) - 

lat a ■ EL (GatSrcA rap pc nan) rag and 
b « EL (GatSrcB rap pc nan) rag and 
d * GatDast rap pc nan in 
lat raault * addc rap (a, b, gat.cf rap paw) in 
lat cflag - addcp rap (a, b, raault) and 
▼flag * aorfl rap (a, b, raault) and 
nflag « nagp rap raault and 
zflag * zarop rap raault and 
an * gat .an rap paw and 

ia - gat.ia rap paw in 

(UPDATE. REG rap paw d rag raault , 
nk.paw rap (an, ia, rflag, nflag, cflag, zflag), 
inc rap pc, 
nan, 
ivac)" 


SUB • n*,_d*f init ion 
(‘SUB*. 

"! (rap:*rap_ty) rag nan (paw pc irac:*wordn) . 

SUB rap (rag, paw, pc, nan, ivac) - 

lat a - EL (GatSrcA rap pc nan) rag and 

b * EL (GatSrcB rap pc nan) rag and 

d - GatDaat rap pc nan in 
lat raault - aub rap (a, b) in 
lat cflag * aubp rap (a, b, raault) and 
▼flag - aorfl rap (a, b, raault) and 
nflag ■ nagp rap raault and 
zflag * zarop rap raault and 
an ■ gat. an rap paw and 

ia * gat.ia rap paw in 

(UPDATE.REG rap paw d rag raault, 
nk.paw rap (an, ia, rflag, nflag, cflag, zflag), 
inc rap pc, 
nan, 
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ivac) 


);; 

X#t SUBC ■ naw.daf inition 
( ‘SUBC ' , 

M ! (rap: ~rap.ty) rag aaa (pav pc ivac:*wordn) * 

SUBC rap (rag, paw, pc, hi, ivac) • 

l*t t ■ El ( Get Sr c A rap pc aai) rag and 
b * EL (GatSrcB rap pc aaa) rag and 
d ■ GatDaat rap pc aaa in 
lat raault ■ aubc rap (a, b, gat.cf rap pav) in 

lat cflag - aubp rap (a, b, raault) and 

▼tlag - aovfl rap (a, b, raault) and 
nflag - nagp rap raault and 
rflag » zarop rap raault and 
aa ■ gat.an rap paw and 

ia « gat.ia rap paw in 

(UPDATE.REG rap paw d rag raault, 
nk.pav rap (an, ia, vflag, nflag, cflag, zf lag) , 
inc rap pc, 
aaa, 
ivac)" 



Iaaadiata arithaatic functions: 

x 

lat AUDI « naw.daf inition 
(‘ADDIS 

"! (rap: “rap.ty) rag aaa (paw pc ivac:*vordn) . 

ADDI rap (rag, paw, pc, aaa, ivac) ■ 

lat a ■ EL (GatSrcA rap pc aaa) rag and 
i * Gatlaa rap pc aaa and 
d * GatDaat rap pc aaa in 
lat raault - add rap (a, i) in 
lat cflag ■ addp rap (a, i, raault) and 
rflag ■ aorfl rap (a, i, raault) and 
nflag * nagp rap raault and 
zflag ■ zarop rap raault and 
aa * gat. an rap paw and 

ia * gat.ia rap paw in 

(UPDATE. REG rap pav d rag raault , 

■k_p»* r*p (»■. i*. ril*g, nflig, cflag, xflag). 
inc rap pc, 

ivac ) 0 

); ; 

lat ADDCI - naw.daf inition 
(‘ADDCI* . 

M !(rap:“rap.ty) rag aaa (paw pc ivac:*wordn) . 

ADDCI rap (rag, paw, pc, aaa, ivac) * 
lat i ■ EL (GatSrcA rap pc aaa) rag 
i * Gatina rap pc aaa and 
d * GatDaat rap pc aaa in 
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l«t result - »ddc r*p (a, i, gat.cf rap paw) in 
lat cflag - addcp rap (a, i, raault) and 
rflag * aovfl rap (a, i, raault) and 
nflftg * nagp rap result and 
xflag ■ zarop rap raault and 
*b * gat. am rap paw and 
i* - gat.ia rap paw in 
(UPDATE. REG rap paw d rag raault, 

Bk .paw rap (am, ia, rflag, nllag, cflag, zflag), 

inc rap pc, 

■am, 

ivac)" 

);; 

lat SUBI * naw.daf init ion 
(‘SUBI‘, 

« i (rap: *rap_ty) rag mam (paw pc ivac:*wordn) . 

SUBI rap (rag, paw, pc, mam, iwac) - 

l#t a - EL (GatSrcA rap pc mam) rag and 
i * Gatlmm rap pc mam and 
d * GatDast rap pc mam in 
lat raault * aub rap (a, i) in 
lat cflag ■ aubp rap (a, i, raault) and 
wilag * aovfl rap (a, i, raault) and 
nflag * nagp rap raault and 
aflag ■ zarop rap raault and 
am * gat.am rap paw and 

ia * gat.ia rap paw in 

(UPDATE.REG rap paw d rag raault, 
mk.paw rap (am, ia, vilag, nflag, cflag, zf lag) , 
inc rap pc, 
mam, 
ivac)" 

);; 

lat SUBCI - naw.daf init ion 
( * SUBCI 1 , 

« ! (rap: *rap_ty) rag mam (paw pc ivac:*wordn) . 

SUBCI rap (rag, paw, pc, mam, ivac) » 

lat a * EL (GatSrcA rap pc mam) rag and 
i m Gatlmm rap pc mam and 
d * GatDaat rap pc mam in 
lat raault * aubc rap (a, i, gat.cf rap paw) in 

lat cflag ■ aubp rap (a, i, raault) and 

vflag - aovfl rap (a, i, raault) and 
nflag * nagp rap raault and 
zflag * zarop rap raault and 
bb * gat. am rap paw and 

ia * gat.ia rap paw in 

(UPDATE.REG rap paw d rag raault, 

Bk_paw rap (am, ia, rflag, nflag, cflag, zflag), 
inc rap pc, 

■am, 

ivac)" 

) • * 

* » » 
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X 

Shifting functions: 


1st LSL * nsw.dsf inition 

('LSL' , 

M ! (rap: "rap.ty) rag asa (psw pc ivacrswordn) . 

LSL rap (rag, psw, pc, m, irac) ■ 

1st s * EL (GstSrcA rsp pc asm) rsg and 
d * GstDsst rsp pc asa in 
1st rssult ■ shl rsp s in 
1st cflag - asb rsp a and 

▼flag * gat.rf rsp psw and 
nf lag ■ gst.nf rsp psw and 
zflag * gst.zf rsp psw and 
sa * gst.sa rsp psw and 

is - gat. is rsp psw in 

(UPDATE.REG rsp psw d rsg rssult, 
ak_psw rsp (sa, is, wflag, nflag, cflag, zflag), 
inc rsp pc, 

■•a, 

iysc)*' 

);; 

1st LSR * naw.daf inition 

(‘LSR‘, 

M ! (rap: "rap.ty) rsg asa (psw pc ivsc:swordn) . 

LSR rsp (rsg, psw, pc, asa, iwsc) ■ 

1st a ■ EL (GstSrcA rsp pc asa) rsg and 
d ■ GstDsst rsp pc asm in 
1st rssult * shr rsp a in 
1st cflag * lsb rsp a and 

▼flag ■ gat.yf rsp psw and 
nflag * gst.nf rsp psw and 
zflag ■ gst.zf rsp psw and 
sa - gst.sa rsp psw and 

is ■ gst.is rsp psw in 

(UPDATE.REG rsp psw d rsg rssult, 
ak.psw rsp (sa, is, yflag, nflag, cflag, zflag), 
inc rsp pc, 
asa, 
iwsc) M 

);; 

1st ASR - naw.daf inition 

( ' ASR * , 

M ! (rsp: “rap.ty) rsg asa (psw pc iwsciswordn) . 

ASR rsp (rsg, psw, pc, asa, iwsc) ■ 

1st a * EL (GstSrcA rsp pc asa) rsg and 
d ■ GstDsst rsp pc asa in 
1st rssult ■ asr rsp a in 
1st cflag ■ Xsb rsp a and 

▼flag • gat.yf rsp psw and 
nflag ■ gst.nf rsp psw and 
zflag ■ gst.zf rsp psw and 
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bb * gat .am rap paw and 

ia - gat.ia rap p*w in 

(UPDATE.REG rap paw d rag raault, 
nk.paw rap (am, ia, wflag, nflag , cflag, zflag), 
inc rap pc, 

Bam, 

iwac)" 


Logical functional ^ 

lat BUD * naw.daf inition 
CBAID\ 

* » (rap: ~rap_ty) rag Baa (paw pc ivac:*wordn) . 

BUD rap (rag, paw, pc, man, iwac) - 

lat a » EL (GatSrcA rap pc Baa) rag and 

b * EL (GatSrcB rap pc Bam) rag and 

d ■ GatDaat rap pc Baa in 
lat raault * band rap (a, b) in 
lat cflag - gat. cl rap paw and 
▼flag * gat.vf rap paw and 
nflag - nagp rap raault and 
zflag * zarop rap raault and 
aa * gat.aa rap paw and 

ia * gat.ia rap paw in 

(UPDATE.REG rap paw d rag raault , 
ftk.paw rap (am, ia, wflag, nflag, cflag, zflag), 
inc rap pc, 
aaa, 
ivac)" 

);; 

lat BOR * naw.daf inition 
(‘B0R\ 

•»i (rap: "rap.ty) rag aaa (paw pc iwac:*wordn) . 

BOR rap (rag, paw, pc, aaa, iwac) - 

lot a - EL (GatSrcA rap pc aaa) rag and 

b - EL (GatSrcB rap pc aaa) rag and 

d * GatDaat rap pc aaa in 
lat raault - bor rap (a, b) in 
lat cflag - gat.cf rap paw and 
▼flag " gat .wf rap paw and 
nflag » nagp rap raault and 
zflag - zarop rap raault and 
aa * gat.aa rap paw and 

ia • gat.ia rap paw in 

(UPDATE.REG rap paw d rag raault, 
ffV jti rap (aa, ia, wflag, nflag, cflag, zflag), 

inc rap pc. 


iwac) 1 ' 




lat BIOR - naw.daf inition 
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( 'BXOR* , 

"Kra p:"rap_ty) rag nan (pav pc irac:*vordn) * 

BXOR rap (rag, pav, pc, van, ivac) ■ 

lot a ■ EL (GatSrcA rop pc nan) rag and 
b ■ EL (GatSrcB rap pc nan) rag and 
d ■ GatDaat rap pc man in 
lat raault * bxor rap (a, b) in 
lat cflag ■ gat.cf rap pav and 
▼ilag * gat.rf rap paw and 
nflag - nagp rap raault and 
zflag ■ sarop rap raault and 
»» - gat. an rap pav and 

ia « gat.ia rap pav in 
(UP DATE. REG rap pav d rag raault, 
ak.pvv rap (an, ia, rflag, nflag, cflag, rflag), 
inc rap pc, 
non, 
irac)" 


lat BXOT * nav.daf inition 
(*BHOT* , 

" ! (rap: "rap.ty) rag aaa (pav pc irac:ovordn) . 

BIOT rap (rag, pav, pc, nan, irac) * 

lat a ■ EL (GatSrcA rap pc Baa) rag and 

b ■ EL (GatSrcB rap pc Ban) rag and 

d * GatDaat rap pc Baa in 
lat raault ■ bnot rap a in 
lat cflag ■ gat.cf rap pav and 
▼flag - gat.rf rap pav and 
nflag * nagp rap raault and 
zflag ■ zarop rap raault and 
an ■ gat. an rap pav and 

ia ■ gat.ia rap pav in 

(UPDATE. REG rap pav d rag raault , 

Bk_pav rap (an, ia, rflag, nflag, cflag, zflag), 
inc rap pc, 

ivac)" 


iBBadiata Logical functional 

lat BABDI ■ nav.daf inition 
( 'BAVDI* , 

" ! (rap: *rap_ty) rag Ban (pav pc irac:avordn) . 

BABDI rap (rag, pav, pc, bob, ivac) - 

lot a ■ EL (GatSrcA rap pc aaa) rag and 
i - Gatin a rap pc nan and 
d * GatDaat rap pc aaa in 
lat raault ■ band rap (a, i) in 
lat cflag - gat.cf rap pav and 
rflag * gat.rf rap pav and 
nflag - nagp rap raault and 
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zf lag - z«rop rap raault and 
an m gat_sa rap paw and 

ia ■ gat.ia rap paw in 

(UPDATE _REG rap paw d rag raault, 
nk.paw rap (an. ia, rflag. nflag, cllag, zilag) . 
inc rap pc, 

■•a, 

iwac)" 

);; 

lat BORI “ naw_daf inition 
( ‘BORI ' , 

••! (rap: ~rap.ty) rag aas (psw pc ivac:*wordn) • 

BORI rap (rag, psw, pc, iv#c > 9 

l#t a - EL (GatSrcA rap pc nan) rag and 
i ■ Gatlam rap pc aaa and 
d ■ GatDast rap pc nem in 
lat rasult m bor rap (a, i) in 

* get. cl rap psw and 

* get.vl rap psw and 

* nagp rap rasult and 

■ zarop rap rasult and 
» get_sa rap psw and 

■ gat.ia rap psw in 
(UPDATE REG rap psw d rag rasult, 

»k_psw rap (sa, ia, vllag, xtflag, cllag, zllag) , 

inc rap pc, 

»aa, 

ivac) " 


lat cllag 
vllsg 
nllag 
zllag 

SB 

ia 


lat BXORI * naw.del inition 
( 4 BXORI 4 , 

»« (rap:"rap.ty) rag aaa (psw pc iyac:*wordn) . 

BXORI rap (rag, psw, pc, aaa, iwac) - 

lat a - EL (GatSrcA rap pc aaa) rag and 
i - Gatlaa rap pc aaa and 
d - GatDast rap pc aaa in 
lat rasult ■ bxor rap (a, i) in 
lat cllag - gat. cl rap psw and 
▼Hag - gat.vl rap psw and 
nllag - nagp rap rasult and 
zllag - zarop rap rasult and 
sa * gat.sa rap psw and 

ia * gat.ia rap psw in 

(UP DATE. REG rap psw d rag rasult, 

■k.psw rap (sa, ia, rllag, nllag, cllag, zllag), 

inc rap pc. 


ivac)" 


);; 


X 

Load and St ora 
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lat LD ■ naw.daf inition 
(*LD* , 

" ! (rap: ~rap_ty) rag (paw pc ivacrawordn) . 

LD rap (rag, paw, pc, nan, ivac) ■ 

lat a * EL (GatSrcA rap pc nan) rag and 
b * EL (GatSrcB rap pc Baa) rag and 
d ■ GatDaat rap pc aaa in 

lat raault ■ fatch rap (aaa, addraaa rap (add rap (a, b))) in 
(UPDATE.REG rap paw d rag raault, 

P«. 

inc rap pc, 

aaa, 

ivac)" 

);; 

lat ST ■ naw.daf inition 
( 1 ST * , 

" ! (rap: *rap_ty) rag aaa (paw pc ivac:awordn) . 

ST rap (rag, paw, pc, aaa, ivac) - 

lat a ■ EL (GatSrcA rap pc aaa) rag and 

b ■ EL (GatSrcB rap pc aaa) rag and 

d ■ EL (GatDaat rap pc aaa) rag in 

lat naw.addrasa ■ addraaa rap (add rap (a, b)) in 
(rag, 

P”. 

inc rap pc , 

stora rap (aaa, naw. addraaa, d) , 
ivac)" 


1 

Xaaadiata Load and Stora: 


■* 


lat LDI » naw.daf inition 
(*LDI* , 

" ! (rap: *rap_ty) rag aaa (paw pc ivac:*vordn) . 

LDI rap (rag, paw, pc, aaa, ivac) » 

lat a ■ EL (GatSrcA rap pc aaa) rag and 
i - Gatina rap pc aaa and 
d * GatDaat rap pc aaa in 

lat raault - fatch rap (aaa, addraaa rap (add rap (a, i))) in 
(UPDATE.REG rap paw d rag raault. 


P*». 

inc rap pc. 


ivac)" 


lat STI ■ naw.daf inition 


( * STI 1 , 


° ! (rap: “rap_ty) rag aaa (paw pc ivac:awordn) . 
STI rap (rag, paw, pc, aaa, ivac) - 

lat a - EL (GatSrcA rap pc aaa) rag and 
i - Gat Ian rap pc aaa and 
d * EL (GatDaat rap pc aaa) rag in 
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l # t naw. addraaa - addraaa rap (add rap (a, i)) in 
(rag, 

paw, 

inc rap pc, 

atora rap (warn, naw.addraaa, d) , 
iwac)* 


X 

Junp 


lat JKP - naw.daf init ion 
('JKP* t 

i (rap: ~rap_ty) rag nan (paw pc iYac:*wordn) . 

JKP rap (rag. paw, pc, nan, iwac) - 

l#t a * EL (GatSrcA rap pc nan) rag and 
i ■ Gatina rap pc nan and 
d - GatDast rap pc nan in 
lat j\*p_cond - JUMP.COHD rap d paw in 
(rag, 

paw, . 

(junp.cond -> (add rap (a, i)) I inc rap pc), 

nan, 

iwac)“ 




CALL a aubroutina 

lat CALL - naw.daf init ion 
('CALL' , 

"»(rap:~rap_ty) rag nan (paw pc iwac:*wordn) . 
CALL rap (rag, paw, pc, nan, ivac) - 

lat a ■ EL (GatSrcA rap pc nan) rag and 
i * Gat Inn rap pc nan and 
d * GatDaat rap pc nan and 
cd - (EL (GatDaat rap pc nan) rag) in 
(UPDATR.REG rap paw d rag (inc rap cd) , 
paw, 

add rap (a, i) , 

atora rap (nan, addraaa rap cd, inc rap pc), 

iwac)* 

);; 

lat RT* - naw.daf init ion 

('RTI\ _ 

«» i (rap: *rapjty) rag nan (paw pc iwac:*wordn) . 
RTI rap Crag, paw, pc, nan, iwac) - 

l#t cd - EL (GatDaat rap pc nan) rag and 
d • GatDaat rap pc nan in 
(UPDATR.REG rap paw d rag (dac rap cd) , 
paw, 

f atch rap (nan, addraaa rap (dac rap cd)), 

nan, 

iwac)* 
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X 

Interrupt instruction 


1st IIT ■ nav.daf inition 
C‘I«T* . 

M !(rap:~rap_ty) rag aaa (pav pc irac:*vordn) . 

IIT rap (rag, pav , pc, m, ivac) ■ 
lat i * Gatin rap pc »an in 
l#t cflag ■ gat.cf rap pav and 
▼flag ■ gat _rf rap pav and 
nf lag ■ gat.nf rap pav and 

rllag ■ gat.zf rap pav and 

an - T and 

ia * P in 

1st nsw.psw - nk.psw rap (sn, is, rflag, nflag, cflag. xflag) in 
(UPDATE.REG rap naw.paa ssp.rsg rag (inc rap (SSP.REG rag)), 
nav.pav, 

band rap (vordn rap 255, i) , 

atora rap (van, addraaa rap (SSP.REG rag), inc rap pc), 
irac)" 

);; 

lat RTI » nav.daf inition 
(‘RTI‘, 

"* (rap:*rap_ty) rag nan (pav pc ivac:*vordn) . 

RTI rap (rag, paw, pc, man, irac) * 
lat cd ■ SSP.REG rag in 


lat cflag 

* gat.cf rap pav and 

▼flag 

* gat.rf rap pav and 

nflag 

■ gat.nf rap pav and 

nflag 

* gat.zf rap pav and 

sn 

■ F and 

ia 

- T in 


(UPDATE.REG rap pav aap.rag rag (dac rap cd) , 
nk.pav rap (aa, ia, rilag, nflag, cflag, zl lag) , 
fatch rap (aaa, addraaa rap (dac rap cd)), 

ivac)" 




Gat and put program atatua vord 

For futura rafaranca, it vould ba nica to atora tha pav bandad 
vith in. 


lat GPSV ■ nav.daf inition 
('GPSV* , 

M !(rap:*rap.ty) rag nan (pav pc irac:*vordn) . 
GPSV rap (rag, pav, pc, nan, irac) ■ 
lat d * GatDaat rap pc nan in 
(UPDATE.REG rap pav d rag pav, 
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inc rep pc, 

bsb, 

irec)" 


let PPSW - new.definition 
(<PPSV\ 

** i (rep: ~rep_ty) rsg bsb (p** P c i*ac:*wordn) . 
PPSV rep (rsg, psw, pc, >•>. iv«c) - 

l*t d - EL (GstDest rep pc bsb> rsg in 

let sm * get.sB r#p psw in 

(rsg, 

(SB -> d I psw) , 
inc rep pc, 

»•». 

ivsc)" 

* 

Vo operation 

1st I00P * new.definition 

(*I00P\ 

" ! (rep: “rsp.ty) rsg B«m (psw pc iyec:*wordn) . 
VOOP rep (rsg, psw, pc, Bern, ivec) - 
(rsg, 
psw, 

inc rsp pc, 

BSB, 

ivsc) H 

);; 


7 

Pssudo instruct ion for external interrupt 


1st EIVT * new.definition 
( ‘EIIT* , 

«! (rep:*rep.ty) rsg bsb (psw pc iwsc:*wordn) . 

Eirr rsp (rsg, psw, pc, bsb, iwsc) - 
1st cd - SSP.REG rsg and 
d - ssp.reg in 

1st cflsg - gst.cf rsp psw and 
▼flag * get.wf rsp psw and 
a! lag - get.nf rsp psw and 
zf lag - get.zf rsp psw and 

sb ■ T and 

l*t naw.paw - mk.pa* r*p (*», i«. 

(UPDATE. REG r«p M*_p»» d rag (inc r*p cd) , 

n««_psw , 

band rsp (wordn rsp 255, int .fetch rsp iTsc), 
store rsp (bsb, address rsp cd, pc) , 
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iwoc) 


lot nacro.state ■ " : ((•wordn)list#*wordn#*wordn#*seaory)" ; ; 
let ucro.wr - ":boel";; 


X 


ABS.EIV takes a Junction of typo (nacro.state -> nacro.state) 

croatoa a function of typo (aacro.state -> aacro.enw -> aacro.state) . 
Tho purposo of this function is to aake tho functions defining the 
instructions have tho right typo for use in tho instruction list. 


lot ABS.EIV “ now.dofinition 
('ABS.EIV', 

"! (f : *aacro_state-> 'aacro.state) (x: 'nacro.state) 
ABS.EIV f * y - f x" 


■X 


(y : "nacro.onr) . 


X 

Tho Mcro.inst.list will bo used to instantiate inst.list in 
•k_aacro.nl. 


lot aacro.inst.list - now.dofinition 
( 'aacro.inst.list ‘ , 

"! rop:*rop_ty . 
aacro.inst.list rop « 
[(IIL(P,P,F,F,F), ABS.EIV (JMP rop)); 
(IIL(F,F.F,F,T), ABS.EIV (CALL rop)); 
(IIL(F,F,F,T,F), ABS.EIV (IIT rop)); 
(IIL(F,F,F,T,T), ABS.EIV (RTI rop)); 
(IIL(F.F,T,F,F) .ABS.EIV (GPSW rop)); 
(IIL(F,F,T,F,T), ABS.EIV (PPSV rop)); 
(IIL(F.F,T.T,F), ABS.EIV (LD rop)); 
(IIL(F,F,T,T,T). ABS.EIV (ST rop)); 
(IIL(F,T,F,F,F) .ABS.EIV (LSL rop)); 
(IIL(F.T.F.F.T) .ABS.EIV (LSR rop)); 
(IIL(F.T.F.T.F). ABS.EIV (ASRrop)); 
(IIL(F.T,F,T,T) .ABS.EIV (RTI rop)); 
(1IL(F,T,T,F,F) .ABS.EIV (IOOP rop)); 
(IIL(F,T,T,F.T) .ABS.EIV (IOOP rop)); 
(IIL(F,T,T ,T,F) .ABS.EIV (LDI rop)); 
(IIL(F.T.T.T.T). ABS.EIV (STI rop)); 
(IIL(T.F.F.F.F). ABS.EIV (ADD rop)); 
(IIL(T,F,F,F.T), ABS.EIV (ADDC rop)); 
(IIL(T.F.F.T.F) .ABS.EIV (SOB rop)); 
(IIL(T.F.F.T.T) .ABS.EIV (SUBC rop)); 
(IIL(T.F.T.F.F). ABS.EIV (BAID rop)); 
(IIL(T.F.T.F.T), ABS.EIV (BOR rop)); 
(IIL(T.F.T.T.F), ABS.EIV (BXOR rop)); 
(IIL(T.F.T.T.T). ABS.EIV (BIOT rop)); 
(IIL(T.T.F.F.F). ABS.EIV (ADDI rop)); 
(IIL(T.T.F.F.T). ABS.EIV (ADDCI rop)); 
(IIL(T.T.F.T.F) .ABS.EIV (SUB I rop)); 
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(IIL(T.T.F,T.T),ABS_EIV (SUBCI rep)); 
(I 1 L(T,T,T,F,F) ,ABS_EBV (BAIDI rep)); 
(IIL(T,T,T,F,T) ,ABS_EIV (BORI rep)); 
(I*L(T,T.T.T.F).ABS_EIV CBXORI rep)); 
UIL(T.T.T.T.T),ABS_EIV (100P rep)); 
(IIR(one) , ABS.EIV (EIIT r#p)); 

3 " 


X — 

Opcode will bs ussd to instant iats 


sslsct in ■k_»acro.»l. 


1 


1st Opcods * nsw.dsf inition 
( * Opcods * , 

» * (rsp: *rsp_ty) rsg (p»» P c ivsc:*wordn; 

(int_s :bool) . 

Opcode rep (reg, psw. pc, ” 

(int_e /\ (get.ie rep pss)) -> 

IBR(one) I 

IBL(SHD (opcode rep (fetch rep (sen, address rep pc)))) 

);; 


Opc.Val sill be used to instantiate key in *k_macro.*l 

let Opc_Val * nes.definition 
(‘Opc.Val* , 

M ! x . 

Opc.Val (x:((bool#bool#bool#bool#bool) + one)) » 

(ISL x) «> (btE.val (OUTL x)) 

I 32'* % thsrs 1 s only ons pssudo instruction 1 

);; 


1st Micro _Subs tats - nsw_d«* inition 
( 'Micro_Substats ( , 

"• (rsp:*rsp_ty) (rsg : (ssordn)list) 
(paw pc ivsc ir »ar *br :*wordn) 
Micro.Substats rsp (rsg, psw, pc, 
(rsg, psw, pc, 

);; 


(n#m: *ns*ory) 

(npc:bt6) . 

asm, irsc, ir, »ar, »br, «pc) ■ 
trans rsp int.trans rsp irsc)" 


closs.tbsoryO ;; 



3.7.2 The Macro— Level Proof 


The section presents the ML code that creates the theory macro. th. 
X 


Filo : ak.aacro . al 

Author: (c) P. J. Windloy 1990 

Dato: JUI 23. 1990 

Modified: 

Description: 

Frores th* aacro — level correct with respect to tho aicro — level 
using tho gonoric intorproter theory, aicro. th, and aacro_dof . th. 

x 

s#t.aoarch_path (seareh.pathO • [ ‘ /auztag/hoae/sindley/hol/tactics/ ‘ ; 

' /auztag/hoao/aindloy/hol/al/ * ; 

]);; 

lot Library.Root - ‘/auztag/hoao/aindloy /hoi /Library/*; ; 

sot .soar ch.path 

(search_path() • 

(aap (concat Library_Root) 

[ * tuplo/ * ; ‘dociaal/*])) ; ; 

loadf 'abstract*;; 

•ystoa * /bin /ra aacro . th* ; ; 

ne*_ theory ‘aacro * ; ; 

aap nos.paront [ * aacro.def ' ; * gon_I '] ; ; 

aap load! [‘tuplo* ; ‘digit* ; ‘dociaal*] ;; 




Load stuff froa aacro.dof 


lot load_aacro_inst - (\x. dofinition ‘aacro.def * x);; 


lot s»cro_defn_list ■ aap load aacro. ins t 

[* JMP* ; ‘CALL*; ‘HT* ; ‘RTI* ; ‘CPSV* ; ‘PPSW* ; *LD‘; ‘ST* ; 

‘LSL* ; ‘LSR* ; *ASR* ; ‘RTI* ; ‘I00P* ; *I00P* ; *LDI*;‘STI‘; 

‘ADD*; *ADDC‘; ‘SUB* ; ‘SDBC*; ‘BAID* ; ‘BOR*; ‘BXOR* ; 'BIOT* ; 

‘ADDI* ; ‘ADDCI ' ; ‘SUBI* ; 'SUBCI* ; 'BAIDl* ; 'BORI* ; ‘BIORI* ; *IOOP‘]; ; 
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lrt GetSrcA “ definition 'macro.def ' ‘GetSrcA ‘ ; ; 
let GetSrcB “ definition 1 *ecro_def ‘ ‘ GetSrcB ‘ ; ; 
let Getlma • definition ‘ macro _def ‘ ‘Get Inn' ; ; 
let GetDeet ■ definition 1 Macro _def ‘ 'GetDeet ‘ ; ; 

let ABS_EIV ■ definition ‘macro.def ‘ ABS.EIV' ; ; 

let Opcode “ definition ‘ macro _def ‘ ‘Opcode 1 ;; 

let Opc.Val “ definition ‘maero.def' ‘Opc.Val 1 ;; 

let Micro_Subetate - definition ‘ macro _dei ' ‘Micro .Substate' ; ; 

let macro.inst.list - definition ‘»ecro_def ‘ ‘macro.inst.list* ; ; 



Load stuff from micro.def . 


nes.parent 'micro';; 

1st load.micro.inst • (\x. theorem ‘micro_def x) ; ; 

X 

: tha list 

Run time: 2824.7s 


1st instructions m map load_micro_inst 
[‘FETCH* ;* ISSUE' ; 

‘DECODE ‘ ; 'BOOP.ul ‘ ; 

‘ JHP.ul ‘ ; * CALL.ul ‘ ; 

*I*T_ul‘ ;‘RTI_ul‘ ; 
‘GPSW_ul‘;‘PPSV_ul‘; 
‘LD_ul‘;‘ST_ul‘ ; 

‘LSL.ul ‘ ; ‘LSR.ul ‘ ; 

‘ ASR.ul ‘ ; *RTH_ul ‘ ; 

‘■OOP_ul ‘ ; ‘BOOP.ul ‘ ; 
'LDI_ul‘;‘STI_ul‘; 

* ADD.u 1 ‘ ; * ADDC.ul ‘ ; 

*SUB_ul ‘ ; ‘SUBC.ul ‘ ; 

‘ BABD.ul ‘ ; ‘BOR.ul ‘ ; 

‘BXOR.ul ‘ ; ‘BHOT.ul ‘ ; 

‘ ADDI.ul ‘ ; ‘ ADDCI.ul ‘ ; 
‘SUBI_ul*;‘SUBCI_ul‘; 

‘BABDI.ul* ; ‘BORI.ul ‘ ; 

‘BXORI.ul* ; ‘IOOP_ul‘ ; 

‘ CALL.U2 ‘ ; ‘ CALL_u3 ‘ ; 

*CALL_u4 ‘ ; ‘ IHT_u2 ‘ ; 

‘IBT_u3‘ ; *IIT_u4 ‘ ; 

‘RTI_u2‘ ;*RTI_u3‘ ; 

*RTB_u2 ‘ ; *LD_u2 ‘ ; 

‘ST_u2 ' ; ‘ST_u3 ‘ ; 
‘STI.iriVEIIT.ul'; 
‘EIIT_u2‘;‘EIIT_u3‘; 
‘EIRT_u4‘;‘U>_u3‘; 

‘BOOP.ul ‘ ; ‘BOOP.ul ‘ ; 

'BOOP.ul'; ‘BOOP.ul'; 
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‘BOOP.ul*; 'IOOP.ul‘; 

‘BOOP.ul ‘; ‘BOOP.ul 1 ; 

‘BOOP.ul ‘ ; ‘BOOP.ul *] ; ; 

let Micro. mst .list m definition ‘micro. def‘ ‘ micro. inst.list * ; ; 
let GetHPC ■ definition ‘micro_def‘ ‘GetHPC';; 

Other misc. loads. 

% 

let Micro.Int * theorem ‘micro 1 ‘Micro.Int';; 
let Bext * definition ‘time.abs' ‘Bext';; 
let add_bt6 * definition 'aux.thms' *add_bt6‘;; 

let OFFSET.BOT.BEGIBNIBG - theorem ‘aux.thms 1 ‘ OFFSET.BOT.BEGIBBIBG' 


X 

Load abstract type definitions. 

let rep.ty ■ abstract.type ‘aux.def' ‘opcode 1 ;; 

let I.rep.ty ■ abstract.type ‘gen_I‘ ‘Impl‘;; 


% 


X 

Define type terms for the state and env. 

% 

let macro.state ■ " : ( (**ordn)list#*wordn#*wordn#*memory#*wordn) M ; ; 

let macro.env - 11 : bool";; 

let micro.state « ((e*ordn)list#*wordn#ewordn#*memory# 
•wo^dn#*wo^dn#♦mordn#*wordn•bt6)' , ; ; 

let micro.env * *' :bool";; 


X 

Beginning of MPC 

let FETCH. ADDR - M (F # F # F t F t F»F)"; ; 

X 

Offset into microrom lookup table 

let OFFSET - "4" ; ; 


X 


X 


Define the macro level interpeter in terms of the generic 
interpreter definition. 

j 
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l#t Macro.Int.d af - naw.daf inition 

(‘Macro.Int.dai * , ^ 

»i (rap: "rap.ty) (s : tiaa-^aacro.stata) (a:tima-> aacro.any) . 

Macro. Int rap a a - 
IITERP 

(■aero. ins t .list rap, 

Opc.Val, Opcoda rap, 

(Micro. Substata rap) : ~aicro_stata->~macro_stata, 

(I : "aicro anT->~»acro.anY) , 

(Kicro.Int rep) : (ti*e->‘nicro_.t.te)-><tine->*»icro_enT>->bool. 
GetKPC : *nicro_»tate->‘»icro_env->bt6 , 

*FETCH_ADDR:bt6, *x:one.F) • •" 


let Hacro.Int * save.th* 

(‘Hacro.Int * , 

01 CE.REWRITE.RULE [Opcode] ( 

BETA.RULE ( 

BTPiWD LET RULE ( , 

instent iate.abstract .definition ‘gen.I* ‘IBTERP* Macro.Int.def ))) 




Macro. Int • 

|- !rap s a. 

Macro.Int rap s a * 

(!t. 

s(t + 1) - 
SVD 

(EL(0pc.Val (Opcoda rap(s t)(a t) ) ) (aacro.inat.list rap)) 
(s t) 

(a t)) 

Run tiaa: 21.6s 

Intaraadiata thaorans ganaratad: 929 


lat Macro. Ins t.Corract.daf * naw.dalinition 
( 'Macro_Inst.Corract.daf * , 

••! (rap: ~rap_ty) s' a' . 

Macro.Inst.Corract rap s' a' « 

I1ST.C0RRECT 

(■aero, inst .list rap, 

Opc.Val, Opcoda rap, 

Micro.Substata rap, I, Micro.Int rap, 

GatHPC, " FETCH. 1DDR, «x:ona.F) s' a ,M 

\ • * 

/ » i 

let Macro .Inst .Correct ■ save.th* 

(‘Macro.Inst .Correct* , 

let Macro .Inst .EXT - . . . . 

COIV.RULE (TOP.DEPTH.COIV FUl.EQ.COHV) Macro.Inst.Correct.def in 

REVRITE.RULE [I.THK] ( 

BETA.RULE ( 

EXP AMD LET RULE ( 



ins t ent i at #_*bs tract .definition 

'g*n_I' 'IIST.CORRECT* Macro Inst EXT))) 

);; 




Macro.Inst.Corract * 

I- !rop s' •’ p. 

Macro.Inst.Corract rap •’ •’ p « 

Micro.Int rap s’ a’ — > 

(!t. 

(Opeodo rap(Micro_Substata rap(s’ t))(a’ t) » FST p) /\ 
(GatMPC(s’ t)(a’ t) - F.F.F.F.F.F) — > 

(?c. 

Iaxt(\t ' . G«tMPC(s* t’)(*’ t’) - F,F,F,F,F,F)(t,t + c) /\ 
(SID p(Hicro_Substata rap (s’ t)) (•’ t) - 
Micro.Substata rap(s’(t + c))))) 

Run tin*: 74.3s 

Intarnadiata thaoraas gsnaratad: 4267 




I naad soma thaoraas about SUM not providad in tha thaory 



1st sua.axioa ■ 

BETA.RULE ( 

REVfRITE.RULE [o.DEF] ( 

COIV.RULE (TOP.DEPTH.COIV FUI.EQ.COIV) sua.Axioa) ) ; ; 

Xai IIJECTI0H_0IE_0IE * provs.constructors.ona.ona sua.axioa; ; 

lat IIJECTIOI.DISTIICT ■ proTa.constructors.distinct sua.azioa; ; 

lat IIJ.LEMMA.OIE « TAC PROOF 

((□. 

**! (b:bool) (x:aa) (y 2 : a) . 

((b -> IIR x I XIL y) - (IIL x)) --> 

<b - F) A (y - z)»), 

REPEAT GEI.TAC 

THEI BOOL.CASES.TAC "b:bool" 

THEI REVRITE.TAC □ 

THEI STRIP _T AC 

THEI IMP_RES_TAC (STM.RULE IIJECTIOI.DISTIICT) 

THEI MATCH_MP_TAC (1st (EQ. IMP .RULE 

(SPEC. ALL 

(C0IJUICT1 IIJECTIOI.OIE.OIE) ) ) ) 

THEI POP.ASSUM (\tha . MATCH.ACCEPT.TAC tha) 

);; 


lat IIJ.LEMMA.TVO - TAC PROOF 

((□. 

”! (b:bool) (x z:aa) (y;a) 
((b -> IIR x I IIL y) - 
(b - T) A (x - *)"). 


(IIR z)) 
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REPEAT GEI.TAC 

THEM BOOL.CASES.TAC "b:bool" 

THEI REVRITE.TAC □ 

THEM STRIP .TAC 

THEM IMP.RES.TAC IIJECTIOH.DISTIICT 
THEI HATCH.MP.TAC (fs t (EQ_IKP_RULE 

(SPEC.ALL 

(C0IJUICT2 II JECTIOI.OIE.QIE) ) ) ) 
THEI POP.ASSUM (Ytha . MATCH.ACCEPT.TAC tha) 

); ; 


Sob# ML function for th# inf#r#nc# rules that follow. 


l#t last 1 - (#1 (l#ngth 1) 1);; 

l#tr#c tem.list.el n 1 * ( 

l#t ta.hd x » rand(f at (dest.coab x)) and 
ta.tl x ■ sndCdest.coab x) in 
if (n * 0) than ta.hd 1 #la# 
tera.list.el (n-1) (ta.tl 1) ) ? 
failwith ‘tera.list.el 1 ;; 


This is insecur# for right now. If anyone is seriously concerned 
that this isn’t right. I’ll do it over. 


let EL.COHV ta - ( 

let ((c ,n) ,1) * ((dest.coab#I)o dest.coab) ta in 
let n.int ■ tera.to.int n in 

ak.thaC □ ,"~ta * * (t era. list. el n.int 1)")) ? 
failwith ‘EL.CONV* ; ; 


% 

Some other nice conversions 


let is.SHD.tera t - 
if is.coab t then 

fat (dest . const (f st (strip.coab t))) - *SID f 

else 

false; ; 


SID.COIV "SID (x,y)" — > I- SID (x,y) - y 


let SID.COIV t - 

if is.SID.tera t then 

let op,pr - dest.coab t in 

let op,[tl;t2] - strip.coab pr in 

SPECL [tl ;t2] ( 

IIST.TTPE [( (type.of tl),":*"); 

((type.of t2) , ";**")] SID) 



X 


alaa 

failvith 'SMD.COIV 1 ;; 


ADD.ASSOC.COIV "a+(b+c)” — > |- a +(b+c) - (a+b)+c 

l#t ADD.ASSOC.COIV t - 
lat opl,[tl;t2] - atrip.coab t 
in 

lat op2,[t3;t4] ■ atrip.coab t2 
in 

if opl « "$+" t op2 - "$+" 
than SPECL [t 1 ; t3 ; t4] ADD_ASS0C 
alaa fail; ; 


IIV.ADD.ASSOC.COHV "(a+b)+c" — > |- (a+b)+c - a+(b+c) 

% 

lat IMV.ADD.ASSOC - (GEM.ALL o STM o SPEC.ALL) ADD.ASSOC; ; 

lat IHV.ADD.ASSOC.COMV t * 
lat opl,[tl;t2] * atrip.coab t 
in 

lat op2,[t3;t4] * atrip.coab tl 
in 

if opt * ,, $+" t op2 ■ "$♦" 
than SPECL[t3;t4;t2] IMV.ADD.ASSOC 
alaa fail ; ; 

X 

inT.nua.COMV inv.nua.COIV °(SUC 2)" — > |- SUC 2 * 3 

x 

lat inT.nua.COIV n * ( 

lat x,y m dast.comb n in 

lat y.inc * int.to.taxa ((tara.to.int y) + 1) in 
if not(x ■ W SUC M ) than fail alaa 
SYM.RULE (nua.COMV y.inc)) 

? failwith f inT .nua.COMV* ; ; 


Uaing MK . Mi cro.Int.Inat. LEMMA, va can prora a laaaa of tha fora 

I- Kicro.Int 
rap 

(\t. (rag t ,pa* t,pc t.aaa t.irac t,ir t.aar t,abr t,apc t)) 

(\t. (int.a t)) “> 

(?t. 

(ape t - F,F,T,P,T,T) *■> 

(rag(t + 1) ,pav(t ♦ l),pc(t + l),aaa(t + l) # iTac(t ♦ l),ir(t + i), 
aar (t + l),abr(t ♦ l),apc(t ♦ 1) - 
ST.ul 
rap 

(rag t,pa* t,pc t.aaa t,irac t,ir t,aar t,abr t ,F # F # T,F # T,T) 
(int.a t))) 
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for ayary microinstruction, by simply giring its position in ths 
list. Hmppimg th« infsrancs ruls onto s list of intogors from 0 
to 63 yiolds s list of lommss for osch micro instruction. Tbo 
•ntiro procsss (sxclu.iT* of autoloading 


1st Micro.Int.SPEC - 

PURE_OROLREWRITE_RULE [nicro_inst_list;GstHPCJ ^ 

BETA.RUU ( 

SPECL Crap: *rsp_ty"; 

"(\t. (rsg t.psw t,pc t.msm t, __ . „ 

iTSC t.ir t.mar t.mbr t.npc t)):tims-> micro.stmts ; 
"(\t. (int_s t)) :tims->*micro_sny"] Kicro.Int) ) ; ; 


l«t HK.Micro.Int .Inst .LEMMA inst » 

l#t tp - ak.n.tuplo.froa.int 6 inst in 
lrt apc.tera « "ape t - ~tp" in 
DISCH.AU ( 

gem "t” ( 

DISCH apc.tsm ( 

SUBS [SPECL ["rap: ~r«p.ty" ; 

"reg t : (*wordn)list M ; 
"■•a t : *aoaory" ; 

"ps« t:*wordn"; 

H pc t:*wordn"; 

"ivec t:*wordn"; 

“ir t:*wordn u ; 
u aar t:*wordn"; 

"abr t:*wordn”; 


tp i 

"int.e t rbool*'] (#1 (inst+1) instructions)] ( 
COMV RULE (DEPTH. CDIV SHD.COM V) ( 
coiyIrulb (OHCE.DEPTH.COHV EL.COHV) ( 

SUBS* [bt6.Tal.C0HV "bt6.val -tp"] ( 

SUBS [ASSUME apc.torm] ( 


SPEC. ALL ( 

SUBS [Micro.Int.SPEC] ( 


ASSUME 

"Micro.Int (r«p: ~r«p.ty) 

(\t. (rog t,psw t,pc t,a#a t*ivoc t.ir 

(\t. (int.s t))")))»)»»;; 


t.aar t»abr t.apc 


t)) 


1st ak.nua.list n ■ 

Istrsc ak.nua_list.anx n a * 
ii n * a than [a] 

(n . (ak.nua.list _aux (n+i) a)) in 
pVnw« list aux On;; 

1st Ricro_Ini_Inst_li.t - map ffl.Micro.lnt.Inst.LEMU (mk_num_list 63) 


lormalizs top assumption (gst rid of add_bt6) 



lat *ORHAL_POP_ASSUM_TAC - 

POP.ASSUM (\tha. ASSUME.TAC ( 

COW.RULE ( OBCE.DEPTH. COI V bt6.iral.C0W) ( 
COW .RULE DEC.ADD.COIV ( 
l DBC.ADD.COW brokan ior "O + 1" X 
mE.OICE_REWRITE.RULE [ADD.CLAUSES] ( 
COIV.RULE (OICE.DEPTH.COW bt6.raI.C0W) ( 
REWRITE.RULE [add.bt6] thm) ))))); ; 


X 

A faw intarastiag laaaas 

% 

1st T.PLUS.3.LEMKA - TAC.PROOF 

((□.”! t . t + 3 « ((t + 1) + 1) + 1”). 

CEI.TAC 
THE* REPEAT ( 

PURE.OICE.REWRITE.TAC [STM.RULE ADD.ASSOC] 

THE* DEC.ADD.TAC) 

THE* REFL.TAC 

);; 


lat RAIGE.LEHNA - TAC.PROOF 

((□, 

“ !tl t2 (ape :tiaa->bt6) x . 

( !t ’ . tl < t’ /\ t' < t2 --> '(ape t> - x)) /\ 

'(ape t2 * x) «“> 

(!t\ tl < t> /\ t’ < (t2 + 1) — > '(ape t’ - x))"). 
REPEAT STRIP.TAC 

THE* ASSUM.LIST (\aal. ASSUME.TAC ( 

SPEC "t ’ :tia«" (#1 S asl))) 

THE* ASSUM.LIST (\asl. STRIP.ASSUME.TAC ( 

REWRITE.RULE [STM.RULE ADD 1 ; LESS. THM] (al 3 asl))) 
TKEIL [ 

ASSUM.LIST (\asl. ASSUME.TAC ( 

REWRITE.RULE [«1 1 asl] (si 3 asl))) 

> 

ALL.TAC 

] 

THEM RES.TAC 

);; 


lot LESS.SQUEEZE.LEWU - 
lot LESS.EQ.SUC - 
STM.RULE ( 

PURE.OICEJtEWRITE.RULE [DISJ.STM] LESS.THM) in 
PURE.OICE_REVRITE.RULE [ADD1] ( 

PUM-OICE.REWRITE.RULE [LESS.EQ.SUC] ( 

PURE. OICE. REWRITE. RULE [LESS.OR.EQ] LESS. EQ.A1TI STM) ) ; ; 


Una about FETCH- ISSUE-DECODE soquonco. 


lot FID.LEMMA - TAC.PROOF 

((□. 

** ! (rop : “rop.ty) (rog:tino->(*wordn)li»t) (»•■: tiao->*Boaory ) 
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(p„ pc iwac ir war mbr :ti.a->*wordn) («pc:ti.a->bt6) 

(int •:ti»#->bool) . 

Microllnt rap (\t. (rag t.pa* t.pc t,».» t.iwac t, 
ir t,»ar t,*br t,»pc t)) 

(\t. (int_« t)) **> 

•t. (int.a t /\ gat.ia rap (paw *) ■ A 

(■pc t * (F,F,F,F,F,F)) mm > . 

((rag(t + 3) ,paw(t + 3).pc(t ♦ 3),.a*(t + 3).iT*c(t + 3), 
ix(t ♦ 3) ,»ar(t + 3) ,mbr(t + 3),*pc(t + 3)) - 
(rag t.paw t.inc rap(pc t),»am t,iT*c t, 
fetch rap (warn t.addraaa rap(pc t)).pc t, 
latch rap (»am t.addraaa rap(pc t)), 
add_bt6 (F,S*D(opcoda rap 
(latch rap 

(•am t.addraaa rap (pc t))))) ‘OFFSET)) /\ 

* (ape (t + 1) * F,F,F,F,F,F) A 
'(»pc((t + 1) + 1) - F.F.F.F.F.F) A 
'(■pc(((t ♦ 1) ♦ 1) ♦ t) - F.F.F.F.F.F)"). 

REPEAT GEI.TAC 
THEM STRIP _T AC 
THEM GEI.TAC 
THE! STRIP _TAC 

THEM IHP RES.TAC (al 1 Micro.Int.Inat.liat) 

THEI ASSUM.LIST (\aal. MAP .EVERY ASSUME.TAC < 

COIJUICTS (REWRITE.RULE [(al 4 asl) ; PAIR.EQ] (al 1 aal)))) 
THEI lORMAL.POP.ASSUM.TAC 

THEI ASSUM.LIST (\aal. MAP .EVERT ASSUME.TAC ( 

COIJUICTS ( 

REWRITE.RULE [PAIR.EQ] ( 

(\y. MATCH.MP J (*1 1 aal)) ( 

SPEC "t+l:ti»a" ( 

MATCH.MP (al 2 Micro.Int.Inat.liat) (laat aal) 

)))))) 

them iormal.pop_assum.tac 

THEI ASSUM.LIST (\aal. MAP .EVERT ASSUME.TAC ( 

COIJUICTS ( 

REWRITE.RULE [PAIR.EQ] ( 

(\y. MATCH.MP J (al 1 < 

SPEC " (tal)+l:ti*a" ( 

MATCH.MP (al 3 Micro.Int.Inat.liat) (laat aal) 

THEI > AS^ REWRITE.TAC [T.PLUS.3.LEMMA ;PAIR_EQ ; 

OFFSET.IOT.BEGIIIIIG] 


lat Macro.Inat.Corract .LEMMA - 

REWRlSuLE [Opcoda ; Opc.Val ; GatMPC; Micro.Subatata;Iaxt] ( 
BETA .RULE ( 

SPECL [“rap:*rap_ty"; 

“(\t. rag t. paw t. pc t. »bb t, irac t, 

ir t, aar t, abr t, ape t) :tiaa->*»xcro_atata ; 
"(\t. int.a t) :tiaa->*»icro_anv"] 

Macro.Inat.Corract) )) ; ; 
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let EXPAID.MACRO.IIST.RULE x - 

PURE.REVRITE.RULE [GetDest; Getlmm; GetSrcA; GetSrcB] ( 
EXPAID.LET.RULE x) ; ; 


Performs repeated symbolic execution on the suumption list 
until the MPC has returned the FETCH. ADDR. Keeps track of 
the number of iterations and supplies the number as a witness 
for the existential quantification. 

x 

let (IIST.LOOP.TAC tm.init) : tactic - 
let is.begin thm ■ 

snd(dest.eq thm) - FETCH. ADDR in 
let tuple.val thm * 

term.to.int (bt_Tal.func(snd(dest.eq thm))) in 
letrec IIST.LOOP.TAC.AUX tm ((asl.w) :goal) - 
let IIST.TAC n - 

IMP.RES.TAC (el n Micro.Int.Inst.list) THE! 

ASSUM.LIST (\x . MAP .EVERT ASSUME.TAC ( 

COIJUICTS ( 

REVRITE.RULE [PAIR.EQ] (el 1 x)))) in 
let n * (tuple.val (el 1 asl)) + 1 in 
let gl,p - IIST.TAC n (asl.w) in 
let (asl’,w*) ■ (hd gl) in 
let gll,pl * split ( 
if (is.begin (el 1 asl 1 )) then 
map (EXISTS. TAC tm) gl else 
map (IIST.LOOP.TAC.AUX ,, (*t«)*H M ) gl) in 
(flat gll ( (p o mapshape(map length gll)pl)) in 
IIST.LOOP.TAC.AUX "Ctm.init + 1)";; 


X 

Create a goal for instruction n 

x 

let MX.IIST_CORRECT.GOAL n - 
let inst ■ term.list.el n 
(snd(dest_eq( 

snd(dest.forall(concl macro.inst.list)) ) )) in 
"! (rep: *rep_ty) (reg: ti»e->(*wordn)list) (men: time->*neaory) 

(psw pc ivec ir mar mbr : time->ewordn) (mpc : time->bt6) 
(int_e:time->bool) . 

(! m . int .fetch rep (int.trans rep m) * (int.fetch rep m)) /\ 
(! m a . fetch rep (trans rep m»a) * fetch rep (m,a)) /\ 

(! max . store rep (trans rep m,a,x) ■ 

trans rep (store rep (m,a f x))) ■*> 

Macro. Inst .Correct rep 

(\t. reg t, psw t, pc t, mem t, ivec t f 
ir t , mar t, mbr t, mpc t) 

(\t. int.e t) ~inst";; 


Prove the instruction correctness lemma for instruction n 

let IIST.CORRECT.TAC (n.thm) - 

let inst. lemma - EXPAID.MACRO.IIST.RULE thm in 


194 


lat inst ■ tara.list.al n 
(snd(dast_aq( 

snd(dast_forall(conel nacro.inst.list))))) in 
REPEAT STRIP _TAC 

THE! SUBST.TAC [SPEC in«t Hacro.Inst.Corract.LEHHAJ 
THEI ASH.REVRITE.T AC [inst_lanna;ABS_EIV] 

THEI REPEAT STRIP _T AC 
THEI IMP .RES.TAC IIJ.LEHMA.OIE 
THE! IHP.RES.TAC FID.LEHHA 
THEI RES.TAC 

THEI ASSUM.LIST (\ul. HAP _E VERT ASSUKE.TAC ( 

COIJUICTS ( 

REVRITE.RULE [al 10 asl;PAIR_EQ] (al 7 ul) 

))) 

THEI IORMAL_POP_ASSUM_TAC 
THEI IIST.LOOP.TAC "3" 

THEI COHV.TAC (TOP.DEPTH.COIV ADD.ASSOC.COIV) 

THEI BETA.TAC 

THEI ASM.REVRITE.TAC [PAIR.EQ] 

THEI REPEAT COHJ.TAC 
THEIL [ % 1 1 . 

PURE 01 CE REVRITE.TAC [SYH.RULE ADD1J 
theh'coiv.tac (TOP.DEPTH.COIV IIV.ADD.ASSOC.COIV) 

THEN REVRITE.TAC [ 

REVRITE.RULE [ ADD_ CLAUSES ;NOT_SUC] ( 

GEN.ALL (SPECL ["•:xniM ,, ;°SUC n"] LESS.ADD.MONZERO))] 

; % 2 X 

PURE.ONCE.REVRITE.TAC [T.PLUS.3.LEMMA] 

THEN REPEAT ( 

( (HATCH JfP.TAC RANGE.LEHMA) ORELSE ALL.TAC) 

THEN CONJ.TAC 

THEN ONCE.REVRITE.TAC [LESS. SQUEEZE _LEHKA] ) 

THEI (SUBST.TAC [SYH.RULE (SPEC.ALL T.PLUS.3.LEHHA)] 
ORELSE ALL.TAC) 

THEI ASH.REWRITE.TAC [PAIR.EQ] 

];; 

m.p (dalata.cacha o 1st) (cachad.thaoriasO); ; 


Pro** EIIT instruction corractnass lanma (spacial cams) ^ 

1st EIIT.inst ■ daiinition ‘aacro.daf ‘ ‘EIIT 1 ;; 

lat EIIT.CORRECT.LEHHA « (TAC.PROOF 
((□. HK.IIST_C0RRECT.60AL 32), 

REPEAT GEI.TAC 
THE! SUBST.TAC [ 

SPEC "(IHR ona:btS+ona,ABS_EIV(EIIT (rap: rap.ty))) 
Hacro. Ins t.Corr act .LEMMA] 

THEI ASH.REWRITE.TAC [ABS.EIV; 

EIPAID.HACRO_IIST.RULE EIIT.inst] 

THE! REPEAT STRIP _TAC 

THEI IHP .RES.TAC IIJ.LEHHA.TWO 

THEI IMP .RES.TAC (al 1 Hicro.Int.Inst.list) 
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THEM ASSUM.LIST (\ul. MAP .EVERT ASSUME.TAC ( 

CO* JU1CTS (REWRITE.RULE [(*1 6 Ml) ; PAIR.EQ] (#1 1 ul)))) 
THE* IORMAL.POP_ASSUM.TAC 
THE* IIST.LOOP.TAC "1" 

THE* C0*V_TAC (TOP.DEPTH.COBV ADD.ASSOC.COHV) 

THE* BETA.TAC 

THE* ASM.REVRITE.TAC CPAXR.EQ] 

THE* REPEAT COIJ.TAC 
THE*L [ t 1 X 

PURE.OHCE.REWRITE.TAC [STM.RULE ADD1] 

THE* CO*V_TAC (TOP_DEPTH_CO*V I*V.ADD_ASSOC_CO*V) 

THE* REWRITE.TAC [ 

REWRITE.RULE [ADD.CLAUSES ; IOT.SUC] ( 

GEH.ALL (SPECL ["*:nus"; "SUC n"] LESS ADD IOIZERO))] 

; X 2 X 

REPEAT ( 

( (MATCH.MP.TAC RAHGE.LEMMA) ORELSE ALL.TAC) 

THE* COIJ.TAC 

THE* OHCE.REWRITE.TAC [LESS.SQUEEZE.LEMMA] ) 

THE* ASM.REWRITE.TAC [PAIR.EQ] 

]) ? BOOL.CASES.AX 

);; 

s*T*_tha( ‘EIHT.CORRECT.LEMMA* , EIHT.CORRECT.LEMMA) ; ; 




II PROVE. IIST.CORRECT.LQMA fail*, I don't want it to stop tha 
■aka, so so’ 11 raturn a duaay thaoras. 



lat PROVE.IBST.CORRECT.LEMMA n - ( 

TAC.PROOF ( ( □ , MX.IIST.CORRECT.GOAL n) , 

I*ST_CORRECT_TAC (n,al (n+1) aacro.dafn.list) ) ) 
? BOOL.CASES.AX;; 




Sava laasas for racovary in tha avant of a crash. 



lat SAVE.IIST.LEMMA n - 

lat nasa - (cone at 'MAC_I*ST_‘ (string.of.int n)) in 
s*Ta_tha(na*a .PROVE.IBST.CORRECT.LEMMA n); ; 

»*P (dalata.cacha o fst) (cachad.thaoriasO) ; ; 

latrac ak.nua.list n a * 

if n “ a than [a] alsa 

<n . (ak.nua.list (n+1) a));; 

lat inst.laaaa.list - aap SAVE.IIST.LEMMA (ak.naa.list 07);; 
asp (dalata.cacha o fst) (cachad.thaoriasO) ; ; 


1 % 


let inst_le«a_list - 
inst.l«aa.list • 

(mapSATE I1ST LEMMA (nk.nun.list 8 16));; 

aap (d#l#t#.ctch# o lit) (cichid.thioriiiO ) ; ! 

lot in»t_l«ma_list ” 
inst.leaaa.list • 

( M p SITE. II ST .LEMMA (nk.nun.list 16 23));; 

nap (delete.cache o fat) (cached.theoriesO ) ; ; 

1st inst.le»a_list - 
int t l—Bt list • 

(up SATE.IMST.LEMMA (nk.nun.liat 24 31));: 


lot inat.loaaa.list - 
inst.lonna.liat 4 

[EI«T_CORRECT_LEMIU] ; ; t 


% 

Tho fir at obligation of tho abstract intorprotor thoory 

1st Macro. Int .CORRECT. LEMMA.AUX - TAC.PROOF 

Krsp: “rep.ty) (reg:tine-X*wordn)liat) (nenitine-^Benory) 

(paw pc ivec ir nar abr : tiae->*wordn) (ape :tias->bt6) 
(int.e:tiae->bool) . 

(» a . int.fatch rep (int .trans rep a) * (int .fetch rsp a)) /\ 
( i a a . fetch rep (trans rep a, a) ■ fetch rsp (a # a)) /\ 

(i a a z . store rep (trans rep n,a»x) * 
trans rep (store rep (a»a,x))) 

EVERY (Macro .Inst. Correct rep 

(\t. reg t, psw t, pc t, aea t, ivec t, 
ir t, aar t, abr t, ape t) 

(\t. int.e t)) (aacro _ ins t. list rep)"), 

REVRITE.TAC [EVERT.DEFjnacro.inst.list] 

THE* REPEAT STRIP.TAC 

THE* POP.ASSUM.LIST (\asl. MP.TAC (LIST.COIJ (rev asl))) 

THEIL 

(aap MATCH.ACCEPT.TAC inst.leaaa.list) 

/it 

1st Macro. Iat_ CORRECT .LEMMA ■ ( 

UIDISCHJILL ( 

SPEC .ALL ( 

PUReIoICE.REWRITE.RULE [Macro.Inat.Corroet.dof] 

Macro. Int _CORRECT.LDOU.AU1) ) ) ; ; 


X 

Tho aocond obligation of tho abstract intorprotor thoory 

lot Macro. Int. LEIGTK.LEMMA - TAC.PROOF 

((□. 
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" ! opc. Opc.Val opc < (LEIGTH (Bacro.inmt.list (rap: "rop.ty)))") , 

REPEAT GEI.TAC 

THE! REVRITE.TAC [macro. inat. list ; LEIGTH ;Opc.Val] 

THEM COID.CASES.TAC 
THEVL [ 

STRUCT.CASES.TAC (SPEC "(OUTL (opc :bt5+on#)) " FI VE_ TUPLE. VALUE.LEHMA ) 
THEM REVRITE.TAC [btSjral ;STH.RULE ADD! ;OUTL] 

i 

ALL.TAC 

3 

THEM COIV.TAC (TOP.DEPTH.COIV nua.COIV) 

THEM REVRITE.TAC [LESS_0;LESS_HOIO_EQ] 


lotroe DEPTH.FIRST.COIV cony ta - 
PIRST.COIV 
[conv ; 

RATOR.COIV (DEPTH.FIRST.COIV cony) ; 

RAID.COIV (DEPTH.FIRST.COIV conv) ; 

ABS.COIV (DEPTH.FIRST.COIV conv)] 
ta; ; 

lot OICE.LEFT.REVRITE.TAC - 

GEI.REVRITE.TAC DEPTH.FIRST.COIV basic.rowritoo; ; 

lot IOT.ISL.LEHMA - TAC.PROOF 

((□. 

“ !opc:bt$+ono . '(ISL opc) ««> (ISR opc)"), 

REPEAT STRIP.TAC 

THEM STRUCT.CASES.TAC (SPEC "opc:bt5+ono" 

(IIST.TYPE [(":bt5",":*") ; (" :ono" ," :**")] ISL.OR.ISR)) 

THEIL [ 

RES.TAC 

A 

POP.ASSUH (\tha. ACCEPT.TAC tha) 

3 


X try it horo X 
X or olso try loft oubtroo X 
X or olso try right oubtroo X 
X or go through • lambda X 


lot 10T.ISR.LEMKA - TAC.PROOF 

((□. 

**!ope:bt6+ono . '(ISR opc) (ISL opc)"), 

REPEAT STRIP.TAC 

THEI STRUCT.CASES.TAC (SPEC "opc:bt5+ono" 

(IIST.TTPE [(" :btS",":o") ; (":ono", ":**")] ISL.OR.ISR)) 

THEIL C 

POP.ASSUH (\thm. ACCEPT.TAC tha) 

» 

RES.TAC 

3 

);; 
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Tha third obligation o 1 tha abstract intarpratar thaory 
lat JUcro_Int.ORDER.LEMU - TAC.PROOF 

(CD. 

"!©pe:btB+ona . opc - (FST (EL (Opc.Val opc) 

(nacro.inst.list (rap: rap.ty)))) ). 

REPEAT GEI.TAC 

THEI REWRITE.TAC [Opc.Val ;nacro_inst .list] 

them coed.cases.tac 
theil [ 

POP.ASSUM (\thn. OICE.LEFT .REWRITE.TAC [ 

(STM.RULE 

(Iff (SPEC "opc:bt5+ona" 

(IIST.TYPE [(":btB"," :*");(" :ona" ,":**")] HD) 
(REWRITE.RULE [] thn)))]) 

THEH STRUCT CASES.TAC (SPEC "(OUTL (opc:btB+ona))" 

FIVE.TUPLE_VALUE.LEMU ) 

THEH REWRITE.TAC [btB.val ;OUTL] 

POP.ASSUM (\thn. OHCE.LEFT .REWRITE.TAC [ 

(SYM.RULE 

(MP (SPEC "opc:btB+ona" 

(IHST TYPE [(":btB",":*");(":ona", ":**”)] IHR)) 
(REWRITE.RULE [thn] (SPEC.ALL HOT.ISL.LEMMA) ) 

))]) 

THEH SUBST.TAC [SPEC "(OUTR (opc :btB+ona) )" ona] 

THEH REWRITE.TAC [OUTR] 

THEH COHV.TAC (OHCE.DEPTH.COHV EL.COHV) 

THEH REWRITE.TAC [] 

);; 


lat thaoraa.list » 

instant iat a. abstract .thaorans 
‘gan.I* 

[Macro.Int_CORRECT.LEMU ; 

Macro.Int.LEHGTH.LEMMA ; 

Macro. Int.ORDER.LEMMA] 

[ 

(“rap:*I_rap_ty", 

“ (nacro.inst.list (rap: *rap_ty) , 

Opc.Val, 

Opcoda rap, 

Micro.Substata rap, 

(I : *miero_anr->*»acro_anT) , 

Micro.Int rap, . . 

GatMPC:*nicro_stata->*nicro_anT->bt6, *FETCH_ADDR,*x:ona.P) ), 

(“a* :tina’->*any”', 

'‘(\t :ti*a. (int.a t):bool)*'); 

(•’s' :tina->*stata’", 

••(\t:tina. (rag t) : (asordn) list, (ps* t) rawordn, 

(pc t) : asordn, (nan t):ananory, (ivac t):*wordn, 

(ir t):*wordn, (nar t ) : *»ordn, (nbr t):*»ordn, 

(■pc t) :bt6)") 
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] 

MACRO* ; ; 


lat corract.laaaa * *nd(hd thaoraa.liat) ; ; 

MACRO.LEVEL.CORRECT .LEMMA - 

I- (!». int.fatch rap(int.trans rap ■) ■ int.fatch rap a) /\ 

( !a a. fa tch rap(trana rap a, a) ■ fatch rap (a, a)) /\ 

(!a a x. atora rap(trans rap a,a,x) ■ trans rap (#t ora rap(a,a»x))) *»> 

Micro. Int 

rap 

(\t. (rag t,psv t,pc t,aaa t.irac t,ir t,*ar t,abr t,apc t)) 

(\t. (int_a t)) /\ 

(?t. ape t - F.F.F.F.F^F) — > 

Macro. Int 
rap 

( (\t . (rag t,psw t,pc t, trans rapCaaa t),int_trans rapdvac t))) o 
(Taap.Ab»(\t . ape t - F ,F,F,F,F,F) ) ) 

((\t. (int.a t)) o (Taap.Abs(\t . ape t - F t F,F,F.F,F))) 

Run tias: 254.3s 

Intaraadiata thaoraas ganaratad: 4257 
1 


lat MACRO.LEVEL.CORRECT. LEMMA - sava.tha 
( 'MACRO.LEVEL.CORRECT. LEMMA * , 

BETA .RULE ( 

EIP AID. LET. RULE ( 

OICE.REVRITE.RULE [Micro.Substata ; I_THM;GatMPC] ( 

BETA.RULE ( 

OICE.REVRITE.RULE [SYM.RULE Macro. Int. daf] corract.laaaa) ) ) ) 

);; 
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3.8 The Final Result 

The section presents the ML code that creates the theory avm.th. 


X 


Fils: mk.mvm.ml 

Author: (c) P. J. Vindley 199° 

Dmt#: JUI 23, 1990 

Modified: 

Description: 

Uses the correctness proofs from each level to prove an overall 
correctness result lor AVM-l 


% 


set .search.path ( search.path 0 C 


[ ' /muztag/home/sindley /hoi/ tactics/' 
* /muz tag /home /windley/hol/ml/' ; 


]);; 


let Library .Hoot « ' /muz tag/home/windley /hoi /Library/' ; ; 


set .search.path 

(search.path 0 • 

(map (concat Library .Root) 

[‘ tuple/' ; ‘decimal/'] )) ; ; 

loadl 'abstract';; 

system '/bin/rm avm.th';; 

new.theory ' avm ' ; ; 

new.parent 'macro';; 

let MACRO.LEVEL.CORRECT.LEMMA - 

theorem 'macro' 'MACRO.LEVEL.CORRECT.LEMMA';; 

let MICRO. LEVEL. CORRECT. LEMMA - 

theorem 'micro' ' MI CRO.LEVEL.CORRECT .LEMMA' ; ; 

let PHASE. LEVEL. CORRECT. LEMMA * 

REVRITE.RULE [I.o.ID] ( 

theorem 'phase' 'PHASE.LEVEL.CQRRECT.LIKMA' ) ; ; 
let Micro. Int - theorem 'micro' ‘Micro.Int ' ; ; 



Load abstract type definitions. 



lat rap.ty * abstract _typa 'aux.daf' ‘opcoda 1 
lat I.rap.ty - abstract.typa 'gan.I* *Iapl*;; 


Dafina typ# tana for tha atata and anv. 
lat aacro.stata ■ M : ((awordn)list#*wordn#*wordn#*aaaory#*wordn)"; ; 
lat aacro.anv ■ " :bool M ;; 

lat aicro.stata » u : ( (*wordn)list#*wordnf*wordn**aaaory# 
*wordn#*wordn#*wordn#*wordn*bt6) " ; ; 

lat aicro.anv » 11 : bool";; 

lat Phaaa.stata * 

" : ((awordn)list#*wordn#*wordn#*aaaoryt 
a v ordn# * v ordnt a a ordnf « wordntbt 6# 
*wordn#*wordn#bool#booliucoda#(mia->ucoda)#bt2)" ; ; 

lat Phasa.anv ■ M :bool";; 

lat EBM.atata » Phaaa. atata ; ; 

lat EBM. anv * Phasa.anv; ; 

X 

Kota that aicro.roa is aubatitutad for uroa. Tha ganaral varsion 
doasn’t imply tha highar lavala, only tha EBM coup lad with tha 
■icrocoda doas. 


lat EBM.KICRQ.CORJtECT.LEHKA - prova.tha 
( 1 EBM.MICRO.CORRECT.LEMMA ‘ , 

" ! (rap: *rap_ty) (rag: tiaa->(awordn) list) (aaa:tiaa->*aaaory) 
(paw pc ivac ir mar abr alatch blatch:tiaa->*wordn) 
(apc:tiaa->bt6) (clk:tiaa->bt2) 

( a ir : t iaa- >uc oda ) 

(iraq.ff iack.ff iraq_a:tiaa->bool) . 
lat f ■ (Taap_Aba(\t . elk t * F.F)) in ( 

(!p. ak.psw rap (gat.sa rap p.gat.ia rap p. 

gat.rf rap p.gat.nf rap p. 

_cf rap p.gat.zf rap p) ■ p) — > 

EBM rap 

(\t. (rag t.paw t ,pc t f aaa t.ivac t ,ir t ,aar t, 
abr t.apc t, alatch t.blatch t .iraq.ff t , 
iack.ff t.air t .aiero_roa.dk t)) 

(\t. (iraq.a t t)) A 
(?t. elk t - F.F) —> 

Kicro.Int rap 

((\t. (rag t.paw t,pc t.aaa t, 

ivac t .ir t.aar t.abr t.apc t)) o f) 

((\t. (iraq.a t t)) o f)) M , 
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K1PAMP LET TAC 
THEM REPEAT C 

STRIP.GOAL.THEI (\th». (MAP .EVERT CHECX.ASSUME.TAC (COIJUICTS th»)))) 
THEM IMP~RES.TAC PHASE.LEVEL.CORRECT.LEMMA 
THEM IHP.RES.TAC HICRO.LEVEL.CORRECT.LEMMA 

);; 

let new.o.THM ■ 

GEM. ALL ( 

SPECL ["f 

"TeBp_Abs(\t. elk t - F,F):ti»«->ti»#"; 

"x :*»•"] ( 

IIST.TTPE [(":tiBe", 

o.THM));; 


let new.o.DEF - 
GEI.ALL ( 

SPECL ["i:tiBe->***"; 

"TeBp_Abs(\t. elk t - F,F) :tU#->ti»*"3 ( 

IIST.TTPE ; 

( M : tiBe" ( 11 ; **" )] o.DEF) ) : ; 


let EBM.MICRO.OORRECT.LEMMA.EXP AIDED - 

OICE.REVRITE.RULE [STM.RULE new.o.THM] ( 

BETA .RULE ( 

REWRITE.RULE [o.DEF] ( 

EXP AID LET .RULE EBM.MICRO.CORRECT.LEMMA) ) ) ; ; 


* 

pHM H TCRO CORRECT, LHtMA.ElP AIDED » . 

|- irep r#g pew pc iwee ir mix »br alatch blatch npc elk bit 

ireq.il ieck.li ireq.e. 

(!p. 

ak.psw 

(git.mB rep p.get.ie rep p.get.wi rep p.get.ni rep p.get.ci rep p. 
g«t_z 1 r#p p) * 
p) “> 

EBM 

r«p 

(r#g t,pM t,pc t,»« t t ir#c t.ir t,»«r t f *br t,*pc t.almtch t, 
bletch t, ireq.il t, ieck.li t.Bir t.Bicro_roB,clk t)) 

(\t. (ir«q_* t t)) /\ 

(?t. elk t » F,F) -»> 

Hicro.Int 

r#p 

(\x. 

((r#g o (T#ip.Ab»(\t . elk t * F # F)))x, 

(ptv o (T«*p_Ab»(\t . elk t * FpF)))x, 

(pc o (T««p_Abs (\t . elk t ■ F,F)))x, 

(b#i o (T«*p_Abs(Yt . elk t ■ F»F)))x, 

(iY#c o (T#*p_Ab*(Vt . elk t * F,F)))x, 

(ir o (T**p_Aba(\t . elk t - F,F)))x, 
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(mar o (Tsap_Abs(\t . elk t « F,F)))x t 
(nbr o ( Tamp. Abs (\t . elk t ■ F,F)))x, 

(npc o (Tsap_Abs(Yt . elk t ■ P,P)))x)) 
(\x. 

((irsq.s o (Tanp.Abs(Yt . elk t ■ F,F)))x)) 
Run tin#: 142.2s 

Intsrmsdiata thsorsms ganaratsd: 4272 


1st AVM. CORRECT ■ prora.thm 
(‘AVM.CORRECT* , 

'*! (rap: ~rap_ty) (rag :tina->(»wordn) list) (nsa:tims->*msmory) 

(psw pe irac ir mar nbr si at eh blatch:tina->*vordn) 

(npc :tina->bt6) (clk:tina->bt2) 

(sir : ti*s->ucoda) 

(iraq.ll iack.ll irsq.s :tina->bool) . 

1st nicro.abs » (Tanp_Abs(\t . elk t » F,F)) in 
1st mbs * micro. abs o 

(Tamp. Aba (\t . (npc o nicro.abs) t ■ F,F # F,F,F t F)) in ( 

On. int.latch rap (int .trans rap n) * int.latch rsp a) /\ 

On a. latch rsp(trans rsp a, a) * latch r*p(n,a)) /\ 

(!■ a x. stors rsp(trans rsp n,a t x) * trans rspCstors rsp(n»a»x))) ■*> 
Op. mk.psw rsp (gat.sn rsp p»gst_is rsp p, 
gst.vl rsp pigst.nl rsp p, 
gat. cl rsp p.gst.xl rap p) ■ p) ■*> 

EBM rsp 

(\t. (rsg t.psw t ,pc t,nsn t,iv«c t ,ir t,mar t, 
nbr t,npc t.alatch t .blatch t, iraq.ll t» 
iack.ll t,nir t ,nicro_ron,clk t)) 

(\t. (irsq.s t t)) /\ 

<?t. (elk t - F,F) ) /\ 

(?t. ((npc o micro. abs) t « F. F,F,F,F,F) ) -«> 

Macro.Int rsp 

((\t. (rsg t , psv 1 1 pc t, 

trans rsp(msm t ) , int.trans rspCivsc t))) o abs) 

((\t. (irsq.s t t)) o abs)) 4 ', 

EXPAID.LET.TAC 
THE! REPEAT ( 

STRIP .GOAL.THEI (\thn. (RAP .EVERT CHECK.ASSUME.TAC (COIJUICTS thm)))) 
THEY IMP.RES.TAC EBM_HICRO.CORRECT_LEMMA.EIP AIDED 
THE! IMP.RES.TAC MACRO _LEVEL.CORRECT.LQOU 
THE! OICE.REWRITE.TAC [o.ASSOC] 

THEI OICE.REWRITE.TAC [nsw.o.DEF] 

THE! BETA _T AC 

THEI OICE.REWRITE.TAC [STM. RULE nsw.o.THM] 

THEI POP .AS SUM (\thm . MATCH.ACCEPT.TAC thm) 


AVM.CORRECT - 

I - !rsp rsg mam psv pe ivse ir mar mbr alatch blateh ape elk mir 
irsq.ll iack.ll irsq.s. 

1st micro.abs * Tsmp.Abs(\t. elk t ■ F,F) 
in 

1st abs * 
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■icro.aba o (T«p_Ab*(\t. (*pc o *icro_aba)t - F.F.F.F.F.F)) 


int.f.tch rap(int_tran» r.p .) - int.i.tch r.p .) /\ 
(!* a. latch rap(trana rap a. a) - latch rap(a,a)) /\ 

( .tor* r*p(tr«n* rap *.a,x) - trana rap(atora rap(m.a.x))) 

<*P- 

mk.psw 

xap 

(gat.sa rap p.gat.ia rap p.gat.Tl rap p, gat.nl rap p. 
gat.cl rap p.gat.zl rap p) - 
p) — > 

EBK 




rap 

l '(r. 8 t.,.. «.pc t..« «.!..< ».ir *’ 

blatch t.iraq.lf t,iaek_« t.«ir t, micro.ro., elk t)) 

(\t. (iraq.a t t)) A 
(?t. elk t - F.F) /\ 

(?t. (ape o aicro.abs)t * F,F,F,F,F,F) m9 > 

Macro. Int 

((\t. (rag t.psa t.pc t. trana rap(.an t) .int .trana rapUrac t))) 
abs) 

(f\t. (iraa_a t t)) o abs)) 


Run tiaa: 238.1s 

Intarmadiata theorama ganaratad: 3280 
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